The mystery intruder getting on my Ubuntu 12.04 Linux box is a stranger who discovered my Gnome Desktop Sharing had "Allow other users to view your Desktop" and also "Allow other users to control your desktop" enabled.
I was using my computer the other night and I noticed a new icon had poppd up on the top bar. It was the Gnome Desktop Sharing application. I stepped through the various terminal windows and I saw the following commands being executed in one of the termainal windows:
Code:
480 ./Sstart
481 c
482 cd csservers_redirecte_linux_hldsp
To stop the intruder I clicked "Disconnect ethernet".
I had allowed "Allow other users... " a few months ago when I was trying to run an application on an Ubuntu computer in the garage from another Ubuntu computer in the house. I forgot to turn off the settings.
The next question is, how did the outside stranger find me? My home computers are on a local network. For the last few months a Netgear C3000 router+cable modem has been my home router. Before the C3000 I had used a Linksys WRT54 and the cable service's ethernet converter box.
I found out that setting Gnome Desktop Sharing to "Allow other users to access your desktop", then the application opens port 5606 and other ports.
The question again is how did the outside computer user find my computer and then how did the outside user find I had port 5606 open?
Code:
# Command to show all ports on the Linux computer you are on.
netstat -lp # Pretty verbose.
# Command to scan another computer on local network for ports in a specific range
# IP address of the computer is 192.168 etc.
# Port range is last dashed numbers
# nc is short for netcat
nc -nv 192.168.0.19 5200-5900
I had success scanning for an open port security vulnerability between two Linux computers on a local network, where you know the IP number of the other computer and you also know whether gnome-desktop-sharing is on or off (by setting the value yourself).
The next step for me is to figure out how to set up a port scan detector. Am I getting scanned because my main Linux box is connected by a physical ethernet cable to the home router? Is the outsider getting past the router by systematically generating likely addresses and hammering away?