I still can't imagine it's true, but this just doesn't make sense.

We have a linux firewall (shorewall) that forwards a few ports to a few machines. Port 5902 is forwarded to a windows server in my office. The IP address is not listed via dns, web, etc. Static IP. The realvnc password was okay strength, not strong or weak. Didn't figure anyone would ever find it.

Only the owner and a manager know of it's existence and the password. The manager is in the office next to me, and it wasn't him. The owner is in Hawaii on his honeymoon. He hasn't yet returned my call, although he never would have done this.

This is the part that doesn't make any sense:

Whoever it was, they installed Skype on the machine (so I could here them talk in islamic), and were on an islamic romance website, in a chat room.

I was sitting at my desk, when I heard a strange voice. I turned around, and heard islamic chatter coming out of the server. I woke up the monitor, and sure enough, someone was remote connected via realvnc to it, and they were chatting away.

I grabbed the mouse control, opened notepad and said "Who is that?"

They stopped. Didn't respond.

I said "answer now or lose connection".

Again nothing.

I closed the connection, removed realvnc from that machine, went to the firewall and removed all port forwarding, closed all holes (drop ping/ssh/webmin etc).

This doesn't make any sense.

If it really was a hacker, why would they install Skype on a remote machine? That is soo stupid. Maybe they wanted me to discover them?

And do a chat room on a remote computer? That doesn't make sense either.

Now that it's after the fact, I'm wondering if realvnc on windows has any logs, checking that next. I uninstalled Skype, checked running processes, and scanning for viruses, so far looks ok.

I checked the logs on the firewall, and I had it set to not log any of the port forwarded sessions. DOH!!! Damnit. I'll fix that before forwarding again.

I'm wondering if realvnc has security holes I'm not aware of, and I should get rid of it??? I love it, I use it on my laptop whenever I'm away from the office to check on servers. Maybe I shouldn't be soo cheap and instead of using the free version, pony up and get the professional one.

This is the first time I've ever suspected I've been hacked.

Any thoughts?

UPDATE:

Found a virus! DAMN!

Used www.bitdefender.com to search it.

Found the Generic.Sdbot which is a backdoor worm, allows remote control via connects to hard coded IRC servers, and allows commands to be sent to it.

Not sure if this is related. Nobody uses the server as a workstation.

Unfortunately the system that was infected was an unpatched (since 2005) Windows system. You referred to Bitdefender so you may see http://www.bitdefender.com/VIRUS-100...SDBot.Gen.html for details, I check http://www.cisco.com/web/about/secur...otob_worm.html. But this forum is called "LQ Linux Security" forum for some reason so there isn't much we can help you with in terms of ClippyOS incident response.

Thanks for those links, I thought all my machines had the latest patches, will take care of that!

True enough, the machine that was hacked was windows. I run vnc on my linux boxes too, looking for a vnc replacement, or better way. I guess it's time to implement a VPN for the windows boxes, and vnc thru ssl for the linux boxes.

I'm not as worried about the worm, not even sure that's related, probably though.

Still, it's kinda weird they put Skype on it, that one baffles me, totally strange.

Yeah, should this aptly reflect their skills? ;-p

Most importantly, you should understand how VNC works.

First, most VNC sessions are unencrypted - check your encryption settings. UltraVNC can do "real" encryption but mostly VNC is just plaintext and intended to be tunnelled over other more secure transports (e.g. SSH). I don't know about RealVNC but the advice for ANY VNC is to tunnel it rather than use it "plain".

That means that your "okay" password is probably transmitted in plaintext over the network. So anyone between you and the server when you log in remotely can read it. Say your boss is in a foreign country and uses a foreign ISP, hotel or cybercafe to log into the VNC server - anyone in control of a computer along the way can read the password very, very simply. And if any of those machines have a virus, it will almost certainly try to read such things as plaintext VNC passwords.

Do things like run Ethereal (now called WireShark) while logging into VNC - you might see your plaintext password whizz past in a packet - I know that I've done this to several people who have been shocked that it was so easy. Not only can you see the password but you can also "view" the screen being transmitted without having to authenticate and can even modify the stream to effectively control the VNC session itself.

Thinking it through, this could mean that the virus could even have entered over VNC itself - or by the malicious user who logged in etc. This may not have been the case today but tomorrow it could be if you're not careful.

VNC is NOT a secure login. It certainly shouldn't be used on a server without tunnelling of some kind and if it isn't tunnelled, it certainly shouldn't be open to the Internet. I use a VNC myself for remote admin of Windows servers and it's just plain stupid to not encrypt the stream. I work in a school which is a bit more of a "hostile" environment (kids will quite happily run things like WireShark and have a look around) and wouldn't dream of leaving it unencrypted.

For what it's worth, better versions of VNC not only encrypt but also authenticate against AD servers, while remaining completely backward compatible. UltraVNC comes to mind as that is what I use - even then I tunnel the stream as well.

Thanks ledow

I "never thought it could happen to me" made me lazy not to tunnel the stream... some lessons come hard in life, I got off easy this time.

Can authenticate against AD? How about openldap? I'm implementing ldap here, will definitely check that out. I sometimes forget what password went on which machine LOL auth will resolve that!

I'm still going to implement a vpn tunnel for the windows machines, but I like the idea of upgrading vnc to get encryption and the auth option, thats great!

maybe the kid/adult persons wanted to just have some fun and that's all...and wow it was the windows box hacked and not linux i myself felt like i was always being watched when using windows and that i always had a virus/trojan/backdoor, etc.. now i don't since i switched to linux. and even an upgrade is more stable than XP ever was.... and yes I kept up with all the latest patches, etc.. when i did use windows...