I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

[snip]

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

[snip]

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

Any theories on how my security was breached would be appreciated.

Randy Yates wrote:
I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

[snip]

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

[snip]

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

Any theories on how my security was breached would be appreciated.

If that connection was from the stated IP address, then it didn't
"bounce" off anything else in your home network, since your laptop and
your router had to be able to route packets back to the intruder.

I'd say the VNC port isn't/wasn't so blocked as you thought.

So maybe it was a multi-stage hack. First he got admin access to your
router. Then he discovered what you had internally and set up his own
forwarding.

Getting access to your router may or may not have been a multi-step
process, as well, involving first compromising whatever you have
directly facing the Internet. If that's only ssh, then that's how he
got in. (You may choose from any of the following options: ssh.)

Alternate ports are pretty worthless against anything but the kiddiest
of scripts. Try telneting to an ssh server sometime. ssh not only
tells your telnet client that it's an ssh server, it self-identifies
what version. ssh has good security, if you set it up, but that
security is not even slightly based on evasion.

One thing I do think is certain is that, unless you set up VNC
forwarding yourself (unlikely by your account), he got into your
router somehow.

If the router is directly accessible from the Internet, maybe it was
one or two steps easier for him. Have you ever scanned yourself?

Then there's always Trojans that you downloaded unwittingly, making
that his first point of entry before hitting your router.

Also, how really sure are you that he was the first and that this was
his only time?

Hi,

I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But 119.205.217.141 is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN
port.

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

So I feel it is highly unlikely he came in over the WAN port, but if he
came in over the wireless, I don't see how he could have a public
address in Asia.

Any theories on how my security was breached would be appreciated.

I just did a "self-scan" and got the expected results. How would an
intruder get into my router? Port 80 is open but NATed to my desktop
machine.

and is your vnc server using port 80?

The upnp "feature" allows programs such as skype, to configure a port
on the router, that will be forwarded to the network interface it's
using, without the router's admin password being required. Turning off upnp
means you'll have to manually configure every the router, and the
programs, for every computer on your lan.

I just did a "self-scan" and got the expected results. How would an intruder
get into my router? Port 80 is open but NATed to my desktop machine.
Under linux? Not likely. I can't think of any raw installs I've

On Wed, 12 Aug 2009 04:23:42 -0400, Randy Yates <yates at (no spam) ieee.org> wrote:


I just did a "self-scan" and got the expected results. How would an intruder
get into my router? Port 80 is open but NATed to my desktop machine.
Under linux? Not likely. I can't think of any raw installs I've

See http://www.gnucitizen.org/blog/hacking-the-interwebs/

In your router, change it's ip address (you'll have to restart networking
after updating the address in the config file), admin username and password.
Also, turn off upnp. Doesn't matter what os your using.

Regards, Dave Hodgins

Em Quarta 12 Agosto 2009 04:18, Randy Yates escreveu:

Hi,

I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But 119.205.217.141 is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN
port.

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

So I feel it is highly unlikely he came in over the WAN port, but if he
came in over the wireless, I don't see how he could have a public
address in Asia.

Any theories on how my security was breached would be appreciated.

test your firewall with this site

https://www.grc.com/x/ne.dll?bh0bkyd2

ArameFarpado <a-farpado.spam at (no spam) netcabo.pt> writes:

Em Quarta 12 Agosto 2009 04:18, Randy Yates escreveu:

Hi,

I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But 119.205.217.141 is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN
port.

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

So I feel it is highly unlikely he came in over the WAN port, but if he
came in over the wireless, I don't see how he could have a public
address in Asia.

Any theories on how my security was breached would be appreciated.

test your firewall with this site

https://www.grc.com/x/ne.dll?bh0bkyd2

Thanks ArameFarpado. Done, and it seems I "passed".

Em Quarta 12 Agosto 2009 17:28, Randy Yates escreveu:

ArameFarpado <a-farpado.spam at (no spam) netcabo.pt> writes:

Em Quarta 12 Agosto 2009 04:18, Randy Yates escreveu:

Hi,

I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But 119.205.217.141 is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN
port.

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

So I feel it is highly unlikely he came in over the WAN port, but if he
came in over the wireless, I don't see how he could have a public
address in Asia.

Any theories on how my security was breached would be appreciated.

test your firewall with this site

https://www.grc.com/x/ne.dll?bh0bkyd2

Thanks ArameFarpado. Done, and it seems I "passed".

did you test the port that vnc is using?

On Wed, 12 Aug 2009 14:50:52 -0400, Bit Twister <BitTwister at (no spam) mouse-potato.com> wrote:

Just an fyi, skype will still work for the average user/use
with Universal plug-n-play disabled in the router.

True. That was just one example of a program that can use upnp.

The scariest part of the attack scenario, is that everything is
working as designed. There is no software bug involved (except
in those routers where the attack can force it to be reset to
the factory defaults). It's a protocol design problem that
affects most routers.

passwords. By "change it's ip address" do you mean the address seen on
the WAN side? No, I'm not willing to do that YET as I have a domain

Allen Kistler writes:

[snip]


I just did a "self-scan" and got the expected results. How would an intruder
get into my router? Port 80 is open but NATed to my desktop machine.

Then there's always Trojans that you downloaded unwittingly, making
that his first point of entry before hitting your router.

Under linux? Not likely. I can't think of any raw installs I've
done (download and unzip, ./configure, make, make install) - the
rest are from repositories that are trusted.

Also, how really sure are you that he was the first and that this was
his only time?

Not at all. But so what? The theory questions on how he's doing it
are going to be the same, no?

ArameFarpado <a-farpado.spam at (no spam) netcabo.pt> writes:

Em Quarta 12 Agosto 2009 17:28, Randy Yates escreveu:

ArameFarpado <a-farpado.spam at (no spam) netcabo.pt> writes:

Em Quarta 12 Agosto 2009 04:18, Randy Yates escreveu:

Hi,

I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But 119.205.217.141 is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN
port.

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

So I feel it is highly unlikely he came in over the WAN port, but if he
came in over the wireless, I don't see how he could have a public
address in Asia.

Any theories on how my security was breached would be appreciated.

test your firewall with this site

https://www.grc.com/x/ne.dll?bh0bkyd2

Thanks ArameFarpado. Done, and it seems I "passed".

did you test the port that vnc is using?

I tested all ports from 0 to 1023. The only ones open are the ones
I want to be open, namely, http (80) and svn (3690).