LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 08-22-2009, 05:08 PM   #1
psykotrol
LQ Newbie
 
Registered: Jan 2008
Posts: 12

Rep: Reputation: 0
Recent remote desktop access


Hello,

recently, somebody from japan took remote access over my desktop, because I (stupidly) forgot to check "require users to enter this password".

Thankfully I was at my desk when it happened, so nothing was deleted or lost, but I had to force it to shut down via the power button, because I couldnt disconnect him. When I tried to, the mouse moved away because he was trying to move it.

However, is there a way to find out through logs, recent commands or anything like that, who it was? I got a brief look due to the notification popup, and all I saw before he started entering commands was tokyo.jp and the accompanying mac address or whatever.

He opened up nautilus and typed in something Im not quite sure about before I shut the comp down.

So is there a way to find out who recently took control of my comp, what commands he entered, etc?

Also, what keyboard shortcut disconnects remote users?

Last edited by psykotrol; 08-22-2009 at 05:11 PM.
 
Old 08-24-2009, 03:01 AM   #2
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
the easiest way is not to pull the power, it's pull the network cable!
 
Old 08-24-2009, 03:21 AM   #3
manwithaplan
Member
 
Registered: Nov 2008
Location: ~/
Distribution: Arch || Sidux
Posts: 393

Rep: Reputation: 45
Quote:
Originally Posted by irishbitte View Post
the easiest way is not to pull the power, it's pull the network cable!
LOL...! true


You need to audit your listening ports ... Check your log files... I use shorewall & SSH w/ syslog-ng. The filters I use separate the firewall logs to a separate log file that records the mac... I would audit the SSH logs, firewall logs, and auth logs. This is of course you have appropriate filters and log files. I would find the auth time stamps and grep the firewall log for a pattern. From there you'll find the mac. You need to run chkrootkit on your machine, and see if there are any common rootkits. Also audit your crons. Someone can easily plant a reverse ssh script that crons a connection to listen to a port. Giving away there position. If he was controlling the screen, that would suspect a vnc connection possibly over ssh. Check the firewall rules for vnc connections. I would change all listening ports and set appropriate logs for any future audits. And reset the port forwarding on the router.

Just grep the logs first with the timestamps, then the compromised username, find a pattern.

Last edited by manwithaplan; 08-24-2009 at 03:23 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Secure remote access to your desktop LXer Syndicated Linux News 0 10-05-2007 01:50 PM
How to access windows Remote Desktop? hacker supreme Linux - Newbie 8 02-08-2007 07:51 PM
access through remote desktop..... ashley_31 Linux - Networking 10 09-14-2006 01:55 PM
Remote Desktop Access winxlinx Linux - Networking 3 02-10-2006 09:28 AM
Remote App and Desktop Access Chazz_CA Linux - Software 3 03-12-2004 02:40 PM


All times are GMT -5. The time now is 06:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration