Hello,

recently, somebody from japan took remote access over my desktop, because I (stupidly) forgot to check "require users to enter this password".

Thankfully I was at my desk when it happened, so nothing was deleted or lost, but I had to force it to shut down via the power button, because I couldnt disconnect him. When I tried to, the mouse moved away because he was trying to move it.

However, is there a way to find out through logs, recent commands or anything like that, who it was? I got a brief look due to the notification popup, and all I saw before he started entering commands was tokyo.jp and the accompanying mac address or whatever.

He opened up nautilus and typed in something Im not quite sure about before I shut the comp down.

So is there a way to find out who recently took control of my comp, what commands he entered, etc?

Also, what keyboard shortcut disconnects remote users?

the easiest way is not to pull the power, it's pull the network cable!

LOL...! true


You need to audit your listening ports ... Check your log files... I use shorewall & SSH w/ syslog-ng. The filters I use separate the firewall logs to a separate log file that records the mac... I would audit the SSH logs, firewall logs, and auth logs. This is of course you have appropriate filters and log files. I would find the auth time stamps and grep the firewall log for a pattern. From there you'll find the mac. You need to run chkrootkit on your machine, and see if there are any common rootkits. Also audit your crons. Someone can easily plant a reverse ssh script that crons a connection to listen to a port. Giving away there position. If he was controlling the screen, that would suspect a vnc connection possibly over ssh. Check the firewall rules for vnc connections. I would change all listening ports and set appropriate logs for any future audits. And reset the port forwarding on the router.

Just grep the logs first with the timestamps, then the compromised username, find a pattern.