I just got hacked...a lesson to remember

[Arsenic]

          So, I come home after work, and I boot up all my computers.  I'm gonna be out of town this weekend and I wanted to install NSTX on my server/test box.  I  vnc into it  and go to put some food in the oven...come back less than a minute later..and a command prompt is open.  I look at my room mate like "WTF? did you do this?"  I look closer.... don't remember the command exactly, but it was downloading a file "RPCALL.exe" from some FTP through the cmd prompt.  Unfamiliar with it I watch, and wonder..."is this something I have installed doing something?" ....Nope, the courser starts moving and they exit the command prompt.  And now...I knew what was happening.  "No fucking way" I think to myself as I shut the computer down. Run and flip the power off on it. Then I  Securely log into my router close ports, disable remote management, and change passwords... Fucking shit man....

        So I know exactly why this all happened....and it's completely my fault and I knew it was possible...I just cut corners.  Some corners were cut due to lazyness, some due to lack of knowing how to do it right, and others were circumstantial. 

          My server is just a box of collected parts, I used to have a monitor, but then I moved...I used a friends monitor to install remote management software on it...originally RAdmin, then vnc, and then I toyed with Remote desktop just to see how it was.  At first, everything was just done locally, and my room-mate at the time was an idiot and I wasn't worried about him sniffing my packets.  So, I didn't use secure passwords, I didn't use any secure protocols like SSL or SSH, and I didn't even have a firewall.  That one was circumstantial, everytime you install a firewall remotely, it's starts off by closing everything....including your remote session.  So, no firewall, no monitor.  Then I decided I wanted to start learning how to setup a webserver....so I get appache, mysql, and php going....I get a dyndns domain, port forward and wow...this is cool.  Then I started and FTP....port forwared again, more cool.  Then I port forwarded vnc....and...again, simple passwords, and no secure tunneling.  I'm pretty sure I had patched up...but this computer has been in a closet for a month or two...

          Anyway, I broke all the cardinal rules.  and got my ass kicked, right in front of my eyes...I mostly regret, the simple passwords, and not learning how to tunnel everything in from the outside.  Then I probably would have been ok.  oh well.

I have my router logs and can probably deduce whom the IP belonged to.  Don't think I much care though.

:???:

Are cmd prompts logged anywhere?

EDIT:    Should I even try to report, or attempt to contact this guy?  Or I just cut my losses, take everything offline, scan/clean them, and change all of my passwords?

[SomeoneE1se]

what you have now is a honey pot that you know he'll step into again so you can format that computer completely and change EVERY password you EVER used and be done with it.  Or you can do something else because you know he'll connect again.  But remember as long as that computer is powered you have to think of it as him being on your network, and he most likely has rooted every other computer on the lan.

[operat0r_001]

prob owned yer VNC if you had it open. people don't go around owning boxes and then VNCing into them to see what sexy anime you have as the desktop wallpaper ... prob a friend or just some skidde running VNC scans

use ulravnc with crypt or even better use sshd/whitelist

man funny I saw this post I spent ALL DAY at work trying to get NSTX to work ... so PM me if you get it to work the idea I had was to get a VMware image with it all setup and automated so I could give it to my dad or something ..

I am using freebsd so not sure if i got the forwarding right and also it's VMware so not sure it I can even do it with that...  I know its not getting blocked or anything I can't even get the client side to do anything to the server side. ( tshark -f "not tcp" ) good for trouble shooting..

anyway let me know if you get it to work. I need to be spoon fed because my brain is fried !

here is my script so far ..

SERVER
=------------
killall nstxd
ifconfig tun0 destroy
ifconfig tun1 destroy
ifconfig tun2 destroy
/etc/rc.d/routing start

ifconfig tun0 create;sleep 2

ifconfig tun0 10.0.0.1 255.255.255.0 mtu 1500;sleep 2
ifconfig tun0 10.0.0.1 255.255.255.0;sleep 2

ifconfig tun0 up;sleep 2


/usr/local/sbin/nstxd -g www.rmccurdy.com





CLIENT 
----------


ifconfig tun0 destroy
ifconfig tun1 destroy
ifconfig tun2 destroy

nstxcd www.rmccurdy.com 66.194.149.138 &;sleep 2


/etc/rc.d/routing start
ifconfig tun0 create;sleep 2
ifconfig tun0 10.0.0.2 255.255.255.0 mtu 1500;sleep 2
ifconfig tun0 10.0.0.2 255.255.255.0;sleep 2
ifconfig tun0 up;sleep 2



route delete default;sleep 2
route add -host 66.194.149.138 192.168.1.1;sleep 2
# needs to be tun0
route add default 10.0.0.1;sleep 2

[Razor512]

i recommend using these passwords next time

https://www.grc.com/passwords.htm

they have proven to stop any brute force

there is a chance your other pcs on your  network are safe if they were not running any of the extra stuff that could be exploited

use a auto generated password from grc for my wifi and for my logmein which i use to control my server 

[nicatronTg]

i recommend using these passwords next time

https://www.grc.com/passwords.htm

they have proven to stop any brute force

there is a chance your other pcs on your  network are safe if they were not running any of the extra stuff that could be exploited

use a auto generated password from grc for my wifi and for my logmein which i use to control my server 

VNC only allows 8 character passwords... 64 is a little to long to be truncated...

[Razor512]

could use 8 of the random ascii characters

most brute force attacks don't go through the ascii characters  because that makes it take much longer  and  very few people use them  in passwords

if your using a much longer ascii password then just copy and paste it into a text file and save it to a usb flash drive and encrypt it using truecrypt the only way for the jerk who got in the first time to do it again will be for them to find you and force you to give them the password

just be sure to reformat that pc first  just to be safe as theres no telling what other crap they did

[Sparda]

Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN.

[nicatronTg]

Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN.

...Or a strong router password / WPA-PSK2

[VaKo]

Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN.

...Or a strong router password / WPA-PSK2

Which will do fuck all to secure any public facing services... The only answer for things like this is a VPN.

[SomeoneE1se]

Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN.

...Or a strong router password / WPA-PSK2

wait, what?

Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN.

...Or a strong router password / WPA-PSK2

Which will do fuck all to secure any public facing services... The only answer for things like this is a VPN.

anything secure and encrypted that you can tunnel over would work

[nicatronTg]

Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN.

...Or a strong router password / WPA-PSK2

wait, what?

Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN.

...Or a strong router password / WPA-PSK2

Which will do fuck all to secure any public facing services... The only answer for things like this is a VPN.

anything secure and encrypted that you can tunnel over would work

Sorry, I was under the assumption that they were on wireless....... But a VPN is good.....

[VaKo]

Well technically wireless should be in front of your 2nd firewall...

[nicatronTg]

Well technically wireless should be in front of your 2nd firewall...

[/quote

Yes.. It should

[pepijntje]

Having to write down every pass u took from https://www.grc.com/passwords.htm

Will take a crap load of time..... U could use a pass storage file use a pass from https://www.grc.com/passwords.htm

And write down the master pass on  a piece of paper and NEVER LOSE IT!

Just an idea :O

[moonlit]

And write down the master pass on  a piece of paper and NEVER LOSE IT!

That would render the entire exercise pointless...