(Cliffs Below)
Well I'll start off by saying that I really wish I heard about this earlier ( http://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.html ). As I was unlucky enough to be running that particular version of VNC on one of my boxes, which is primarily used by my parents. It also just happened to be that the only system I was running with that version of VNC, just happened to be the one I had port fowarding set up on!
I hopped on the system today, after getting complaints of there being new icons in every window. Turned out there were 2 little icons, next to the close/minimize/maximize icons, in every window. I hovered it and it said "minimize to try", thinking hrmm, how did that get there? I maximized the system tray, to reveal both the application responsible for those icons, along with another black/red icon.
Upon clicking on the new mysterious window, a black box came up, with tons of green text running. I know I caught something about apache webserver running in the box, along with other text, however I x'ed it out of surprise and closed the program. I still have no idea what it was, perhaps some application using my system as a node to attack others? The filename was just a 3 letter executable, and google only returned 4 hits, all unreadable asian text.
So now fast foward a few hours of troubleshooting, what could have possibly happened, did a family member install these things by accident? I found in my firefox history that these executables had been downloaded from URL's, and saved right into my downloads folder. But there was no other net activity during this time period, I even ended up running a script to parse the history file into a readable XML format, to check the exact timestamps. By this point it was clear to me that someone hadn't downloaded it by accident while surfing the web.
I found my way to the Event Viewer window, and was able to see the exact times and IP's, which had been connecting to my VNC server. There were several random IP's, which resolved back to domains in Austrailia and Amsterdam, and had the word dynamic in the names. Seems this guy was covering his tracks. The time's that these random IP's connected and disconnected from my VNC server, matched up perfectly with the times that these executables were downloaded from the net onto my machine.
There was also a third app called passwordsomething.zip, that firefox said it had downloaded, but I could find no trace of it. I even ran a utility to search for file names that had been deleted from the recycle bin, nothing to be found. I was able to do some reasearch on that file however, and it appears that while it's general useage is for good, it could be used to steal saved passwords as well.
So this is where I stand now. I pulled the system off the network as soon as I detected this disaster of an attack. Unfortunatly my parents had done banking, and bought items with their credit card in the past 2 days. And to make matters worse, its totally possible people could have been logged into my system before that, and just hadn't made themselves so visible. There notifying the bank and creditcard company of the situation, in case that was one of the hacker's agendas (Although it's tough to call the guy a hacker, it required editing 1 line of code in the viewing application).
My plans are as follows:
- Backup all data to the second partition on the drive, and format the partition containing windows and programs. I feel I have no other choice, as I'm not sure how much this guy even did, and AV hasn't been of any use.
- Install DD-WRT on my router. From now on I plan to create an SSH connection, and tunnel any of my VNC work through that. Along with anything else I feel may be at risk.
My questions to you guys:
Cliffs
Well I'll start off by saying that I really wish I heard about this earlier ( http://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.html ). As I was unlucky enough to be running that particular version of VNC on one of my boxes, which is primarily used by my parents. It also just happened to be that the only system I was running with that version of VNC, just happened to be the one I had port fowarding set up on!
I hopped on the system today, after getting complaints of there being new icons in every window. Turned out there were 2 little icons, next to the close/minimize/maximize icons, in every window. I hovered it and it said "minimize to try", thinking hrmm, how did that get there? I maximized the system tray, to reveal both the application responsible for those icons, along with another black/red icon.
Upon clicking on the new mysterious window, a black box came up, with tons of green text running. I know I caught something about apache webserver running in the box, along with other text, however I x'ed it out of surprise and closed the program. I still have no idea what it was, perhaps some application using my system as a node to attack others? The filename was just a 3 letter executable, and google only returned 4 hits, all unreadable asian text.
So now fast foward a few hours of troubleshooting, what could have possibly happened, did a family member install these things by accident? I found in my firefox history that these executables had been downloaded from URL's, and saved right into my downloads folder. But there was no other net activity during this time period, I even ended up running a script to parse the history file into a readable XML format, to check the exact timestamps. By this point it was clear to me that someone hadn't downloaded it by accident while surfing the web.
I found my way to the Event Viewer window, and was able to see the exact times and IP's, which had been connecting to my VNC server. There were several random IP's, which resolved back to domains in Austrailia and Amsterdam, and had the word dynamic in the names. Seems this guy was covering his tracks. The time's that these random IP's connected and disconnected from my VNC server, matched up perfectly with the times that these executables were downloaded from the net onto my machine.
There was also a third app called passwordsomething.zip, that firefox said it had downloaded, but I could find no trace of it. I even ran a utility to search for file names that had been deleted from the recycle bin, nothing to be found. I was able to do some reasearch on that file however, and it appears that while it's general useage is for good, it could be used to steal saved passwords as well.
So this is where I stand now. I pulled the system off the network as soon as I detected this disaster of an attack. Unfortunatly my parents had done banking, and bought items with their credit card in the past 2 days. And to make matters worse, its totally possible people could have been logged into my system before that, and just hadn't made themselves so visible. There notifying the bank and creditcard company of the situation, in case that was one of the hacker's agendas (Although it's tough to call the guy a hacker, it required editing 1 line of code in the viewing application).
My plans are as follows:
- Backup all data to the second partition on the drive, and format the partition containing windows and programs. I feel I have no other choice, as I'm not sure how much this guy even did, and AV hasn't been of any use.
- Install DD-WRT on my router. From now on I plan to create an SSH connection, and tunnel any of my VNC work through that. Along with anything else I feel may be at risk.
My questions to you guys:
- How likely is it that something the hacker did, could stay hidden on my Data partition, and then re-harm the newly formatted OS?
- Could a worm have been installed, which could easily be spread through my network and harm the other systems? I've got about 5 systems hooked up behind my router, only running Windows Firewall. The Spyware/AV scans check out fine on the other computers, as did they on the attacked one.
- Does setting up a tunnel with SSH seem like a reasonable and secure way to go about doing this in the future? I have SSH running on my linux box already, but I figure the router is less likely to go down, or not be rebooted after a power outtage when I'm away from home.
- Any other suggestions or advice on this whole situation? I keep all my systems running in pristene condition 24/7, it's hard to believe the one got attacked so badly out of the blue. Guess that's what I get for using port fowarding and having the 1 subversion of VNC that was vulnerable to the exploit.
Cliffs
- Several apps installed on my system
- One app found to be running an apache server, doing god only knows what
- Another app may have been stealing saved passwords
- No traceable IP addresses
- No choice but to wipe the system clean, and hope banking records stay safe