So, this morning, I was working on my desktop under Ubuntu 9.10 when I got a message in the the upper right telling me that my Remote Desktop Connection had been activated. I don't know who it was, but they proceeded to open up a terminal and start typing a bunch of stuff. This scared the living @#$^ out of me, so I didn't really pay attention to what he was doing and immediately dove for the reset button. I disconnected my network from the web and found that RDC was NOT password protected.

Now, I probably did this a little while ago while I was playing around with it, but I also set up an account with dyndns.org. Would this possibly increase the number of attacks on my network? Just in case, I have removed my listing.

Also, would any of this incident be logged somewhere? How/Where would I look to see if I'm being poked and prodded for another security hole?

I'm still pretty new to linux (I've been using it for about a year now), and I really appreciate your help. So, thanks.

One of the first things you should do on a newly installed, modified, or inherited system is run:

# netstat -ltnup

Take careful note -- these are all the services that your host is offering up and accepting tcp or udp connections on. If you see applications here that you don't need/want to run, then disable them. If you see applications that are listening on an external interface, but don't need to be, then correct their configuration. You can also plan your host-level firewall ruleset based on what legitimately needs to be listening.

About your dyndns question: I wouldn't necessarily assume that someone found your host using DNS rec info. It is more likely that someone was scanning large subnets, and discovered you had a listening service to attack.

I would also rewrite your iptables to drop incoming requests, allow certain outbound ports, and define which ports you want outgoing, ie bittorent servers/cleints, etc...

Did you notice what user it was under? Was the prompt a $ or a #? You might look in .bash_history for your users and see if you recognize any of the commands. Try looking at the output of last to see if you can spot what user they were under.

By the way, since this is Ubuntu and they've pretty much abused the daylights out of sudo, I wouldn't connect this machine to the network until you've had a chance to figure out if they've done anything.

Some useful commands:

ps -axfwwwe - look for unusual processes running.

lsof -Pwn - look at open files

netstat -pantue - see if there are any odd network connections

You're looking for things that are odd or unknown.

If I am not mistaken, Remote Desktop Connection is based upon VNC. It is a notoriously insecure application that is responsible for more successful cracks than anything else. If you want remote desktop capability, once you get things straightened out, skip the VNC and use FreeNX or only use VNC through and SSH tunnel. I would also suggest that you get rid of password authentication and use key based only for your SSH. Applications such as fail2ban and denyhosts help to make cracking attempts more difficult because after a couple of failures their IP will be banned for a period of time.

I don't remember the OP saying that the service had been cracked. He stated that he hadn't password-protected it. He could've done the same thing with FreeNX or any other VNC tool. It wasn't the tool, it was user error that caused this.

OP, do as the others have stated. You can still use RDP if you layer your security: use a password!; use iptables to limit who can use RDP; periodically check your machine's running services via netstat. You can do all of that and have a safe machine and still utilize RDP.

Breaches via activated RDP seem to be a problem with .*buntu, the topic pops up regularly in some .*buntu forums...