Arsenic Posted March 1, 2008 Posted March 1, 2008 So, I come home after work, and I boot up all my computers. I'm gonna be out of town this weekend and I wanted to install NSTX on my server/test box. I vnc into it and go to put some food in the oven...come back less than a minute later..and a command prompt is open. I look at my room mate like "WTF? did you do this?" I look closer.... don't remember the command exactly, but it was downloading a file "RPCALL.exe" from some FTP through the cmd prompt. Unfamiliar with it I watch, and wonder..."is this something I have installed doing something?" ....Nope, the courser starts moving and they exit the command prompt. And now...I knew what was happening. "No fucking way" I think to myself as I shut the computer down. Run and flip the power off on it. Then I Securely log into my router close ports, disable remote management, and change passwords... Fucking shit man.... So I know exactly why this all happened....and it's completely my fault and I knew it was possible...I just cut corners. Some corners were cut due to lazyness, some due to lack of knowing how to do it right, and others were circumstantial. My server is just a box of collected parts, I used to have a monitor, but then I moved...I used a friends monitor to install remote management software on it...originally RAdmin, then vnc, and then I toyed with Remote desktop just to see how it was. At first, everything was just done locally, and my room-mate at the time was an idiot and I wasn't worried about him sniffing my packets. So, I didn't use secure passwords, I didn't use any secure protocols like SSL or SSH, and I didn't even have a firewall. That one was circumstantial, everytime you install a firewall remotely, it's starts off by closing everything....including your remote session. So, no firewall, no monitor. Then I decided I wanted to start learning how to setup a webserver....so I get appache, mysql, and php going....I get a dyndns domain, port forward and wow...this is cool. Then I started and FTP....port forwared again, more cool. Then I port forwarded vnc....and...again, simple passwords, and no secure tunneling. I'm pretty sure I had patched up...but this computer has been in a closet for a month or two... Anyway, I broke all the cardinal rules. and got my ass kicked, right in front of my eyes...I mostly regret, the simple passwords, and not learning how to tunnel everything in from the outside. Then I probably would have been ok. oh well. I have my router logs and can probably deduce whom the IP belonged to. Don't think I much care though. :???: Are cmd prompts logged anywhere? EDIT: Should I even try to report, or attempt to contact this guy? Or I just cut my losses, take everything offline, scan/clean them, and change all of my passwords? Quote
SomeoneE1se Posted March 1, 2008 Posted March 1, 2008 what you have now is a honey pot that you know he'll step into again so you can format that computer completely and change EVERY password you EVER used and be done with it. Or you can do something else because you know he'll connect again. But remember as long as that computer is powered you have to think of it as him being on your network, and he most likely has rooted every other computer on the lan. Quote
operat0r_001 Posted March 1, 2008 Posted March 1, 2008 prob owned yer VNC if you had it open. people don't go around owning boxes and then VNCing into them to see what sexy anime you have as the desktop wallpaper ... prob a friend or just some skidde running VNC scans use ulravnc with crypt or even better use sshd/whitelist man funny I saw this post I spent ALL DAY at work trying to get NSTX to work ... so PM me if you get it to work the idea I had was to get a VMware image with it all setup and automated so I could give it to my dad or something .. I am using freebsd so not sure if i got the forwarding right and also it's VMware so not sure it I can even do it with that... I know its not getting blocked or anything I can't even get the client side to do anything to the server side. ( tshark -f "not tcp" ) good for trouble shooting.. anyway let me know if you get it to work. I need to be spoon fed because my brain is fried ! here is my script so far .. SERVER =------------ killall nstxd ifconfig tun0 destroy ifconfig tun1 destroy ifconfig tun2 destroy /etc/rc.d/routing start ifconfig tun0 create;sleep 2 ifconfig tun0 10.0.0.1 255.255.255.0 mtu 1500;sleep 2 ifconfig tun0 10.0.0.1 255.255.255.0;sleep 2 ifconfig tun0 up;sleep 2 /usr/local/sbin/nstxd -g www.rmccurdy.com CLIENT ---------- ifconfig tun0 destroy ifconfig tun1 destroy ifconfig tun2 destroy nstxcd www.rmccurdy.com 66.194.149.138 &;sleep 2 /etc/rc.d/routing start ifconfig tun0 create;sleep 2 ifconfig tun0 10.0.0.2 255.255.255.0 mtu 1500;sleep 2 ifconfig tun0 10.0.0.2 255.255.255.0;sleep 2 ifconfig tun0 up;sleep 2 route delete default;sleep 2 route add -host 66.194.149.138 192.168.1.1;sleep 2 # needs to be tun0 route add default 10.0.0.1;sleep 2 Quote
Razor512 Posted March 1, 2008 Posted March 1, 2008 i recommend using these passwords next time https://www.grc.com/passwords.htm they have proven to stop any brute force there is a chance your other pcs on your network are safe if they were not running any of the extra stuff that could be exploited use a auto generated password from grc for my wifi and for my logmein which i use to control my server Quote
nicatronTg Posted March 1, 2008 Posted March 1, 2008 i recommend using these passwords next time https://www.grc.com/passwords.htm they have proven to stop any brute force there is a chance your other pcs on your network are safe if they were not running any of the extra stuff that could be exploited use a auto generated password from grc for my wifi and for my logmein which i use to control my server VNC only allows 8 character passwords... 64 is a little to long to be truncated... Quote
Razor512 Posted March 1, 2008 Posted March 1, 2008 could use 8 of the random ascii characters most brute force attacks don't go through the ascii characters because that makes it take much longer and very few people use them in passwords if your using a much longer ascii password then just copy and paste it into a text file and save it to a usb flash drive and encrypt it using truecrypt the only way for the jerk who got in the first time to do it again will be for them to find you and force you to give them the password just be sure to reformat that pc first just to be safe as theres no telling what other crap they did Quote
Sparda Posted March 1, 2008 Posted March 1, 2008 Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN. Quote
nicatronTg Posted March 1, 2008 Posted March 1, 2008 Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN. ...Or a strong router password / WPA-PSK2 Quote
VaKo Posted March 2, 2008 Posted March 2, 2008 Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN. ...Or a strong router password / WPA-PSK2 Which will do fuck all to secure any public facing services... The only answer for things like this is a VPN. Quote
SomeoneE1se Posted March 2, 2008 Posted March 2, 2008 Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN. ...Or a strong router password / WPA-PSK2 wait, what? Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN. ...Or a strong router password / WPA-PSK2 Which will do fuck all to secure any public facing services... The only answer for things like this is a VPN. anything secure and encrypted that you can tunnel over would work Quote
nicatronTg Posted March 2, 2008 Posted March 2, 2008 Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN. ...Or a strong router password / WPA-PSK2 wait, what? Setting a hard to guess password on a exposed VNC service is the wrong way about securing VNC. What is needed is a VPN. ...Or a strong router password / WPA-PSK2 Which will do fuck all to secure any public facing services... The only answer for things like this is a VPN. anything secure and encrypted that you can tunnel over would work Sorry, I was under the assumption that they were on wireless....... But a VPN is good..... Quote
VaKo Posted March 2, 2008 Posted March 2, 2008 Well technically wireless should be in front of your 2nd firewall... Quote
nicatronTg Posted March 2, 2008 Posted March 2, 2008 Well technically wireless should be in front of your 2nd firewall... [/quote Yes.. It should Quote
pepijntje Posted March 18, 2008 Posted March 18, 2008 Having to write down every pass u took from https://www.grc.com/passwords.htm Will take a crap load of time..... U could use a pass storage file use a pass from https://www.grc.com/passwords.htm And write down the master pass on a piece of paper and NEVER LOSE IT! Just an idea :O Quote
moonlit Posted March 18, 2008 Posted March 18, 2008 And write down the master pass on a piece of paper and NEVER LOSE IT! That would render the entire exercise pointless... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.