This was crazy.. Now I definitely have a relatively insecure system, and maybe I've been a little too lax about this stuff, but it sure made for an interesting few minutes.

Ok, so my RA was over and i was on my comp using it and suddenly the wallpaper goes grey, i lose mouse and keyboard input, and the VNC icon lights up. Someone connected to me!!! In a frenzy, I ran over to the hub, and unplugged myself (and Lei as well in a panicked rage), which promptly disconnected the h4x0r.

I had a relatively easy VNC password, and I connect to my comp from everywhere (other people's comps, computer labs (Windows and Linux), etc). I'm assuming that someone set up a keyboard trap on one of the public computers, and saw my pass. In any case, someone made a conscious effort to get me.

So in a curious mood, I checked my windows file sharing folders, and in the one I had read/write access to, i found an autorun.inf file and an installer for who knows what that Norton promptly deleted.

What worries me is if this someone connected to me at an earlier time when I wasn't around, and started phucking my system. I always lock my workstation whenever i leave my room (can't trust that Lei...), so "mr h4x0r" would have to know my Windows pass as well, but if the issue was with a keyboard trap, it wouldnt take too much effort to read the next line.

So for now, I'll be puzzled, confused, and slightly scared. I stopped running VNC and ... eek... enabled the windows firewall :eek: .... I wonder how (s)he found my password, and whether or not "mr(s) h4x0r" did anything.....

hahah, dumbass0rxer

owned. I have two words for you:
Hardware. Firewall.

I don't think a firewall would help keep your computer safe from somebody connecting to your computer using RealVNC (unless you want to keep yourself out as well, but then what's the point?).

Your best bet would be to change all your passwords, and have VNC log the IPs which attempt to connect to your compy. You could use such information to find out who the person is and report them, kick his ass, or scare the sh!t outa him.

But who would do this on a Saturday night? It would have to be someone with no life. That should narrow it down a bit.


It doesn't look like VNC logs anything, and my Apache log doesn't look like it caught anything either.

Kill the nerds (except for me). Hackers blow.

NEW UPDATE::

After reviewing my Apache loggs, I noticed something suspicious around the time of the incident, with an IP from Eastern Michigan University. 164.76.170.183

Probably some 14yrld with nothing better to do.
cause they cant find a date......

so Hey why not hack some one

ip-170-183.resnet.emich.edu [164.76.170.183].

I believe that's their WAN-side server (All I can do is formulate theories based on empirical data I've collected). It is my belief that it runs a proxy server, and the LAN-side server runs through that proxy to filter in/out traffic, but permit inside traffic as we get free communication on the LAN (unfortunately). All you have is the WAN-side IP, Eastern's official address to the outside world. If we could get a LAN address, I could contact my friend inside resnet to see the owner of that IP -- then you could come with Lei to EMich and we could all beat his ass together.

But who would do this on a Saturday night? It would have to be someone with no life. That should narrow it down a bit...

Maybe not as much as you might think. :rolleyes:

Look how many replies there have been so far in just a short while... ;D

Hackers...Find them and kill them. :rarr:

Does anyone know a way to monitor all incoming traffic on a specific port range?

I think Sygate monitors activity quite well, but I haven't used it in a while, so I am not positively sure.

Sygate has a pretty detailed logs and most routers should have logging capabilities, at the ones I have used have capabilities.

I should've checked back into this thread. I suggested he use Sygate at about 1:15 :D

Well you can change everything back and try yo catch them at it again if you can log the ip's and all. And then go beat his/her ass.

Well you can change everything back and try yo catch them at it again if you can log the ip's and all. And then go beat his/her ass.

I'm with this guy, GET'EM! Kinda like how I left my truck out where it got vandalized once, in hopes they came back. So I could club them with my crowbar socket wrench thing from my truck and get it on tape :thumbsup:

I'm with this guy, GET'EM! Kinda like how I left my truck out where it got vandalized once, in hopes they came back. So I could club them with my crowbar socket wrench thing from my truck and get it on tape :thumbsup:

Looks like we were raised the same way, haha :)

Let us know how this pans out DOSMAN.

~Cyrix

I shall. I wrote a batfile (after all, I am DOSMAN) that will output netstat - n to a file. The next time it happens, I'll have a record of the IP.

Crap... I use VNC at school too. If it were me and I didn't panic, I'd let the guy do whatever he was planning to do when he connected to learn what he is or has been up to.

I feel like I'm in an investigation... It's just like this week's Enterprise episode :p

Yeah, so advice for all of you. Never delete the evidence! When I first found the autorun.inf and virus, I deleted them for safety's sake. That was really stupid of me, because I never took note of the date/time on those files, that probably would have told me when they were uploaded. So now, all I have is my Apache log, which isn't too conclusive without knowing exact dates/times.

After looking over my logs a bit, I've come to a few conclusions:
1) The virus was in a shared folder that Apache shows was accessed yesterday, and the last time before that was on Nov 3. Both were by the same IP on the local network. I think I'll have a word with the Rescomp guy and see if he can't match an IP to a face, so I can punchify it. The evidence is enought for me, but I should probably wait for it to happen again, and get definite proof of when it happened, so I can accurately match logs to events.

2) I really have nothing conclusive on the VNC incident. Only that my HTTP page was saved to someone from Eastern Mich's Favorites list just before it happened. I guess that really doesn't say much, but it sounds like something I'd expect to happen about that time. The next closest connection to my HTTP server was 4 hours earlier just to view my main page, and 5 minutes later by my roomate (and I know he didn't do it, since the first thing I did when my comp was accessed was look over to him).

So for now, all I have are 2 "suspicious" IP's, but nothing conclusive. I guess I'll just have to wait for it to happen again before I really do anything.

So let me get this straight. You leave VNC running with a password you openly admit is not complicated or hard to crack. You realize this makes you a sitting duck. Somebody takes advantage of it...and you're pissed because?

Is it right? No. Though it does sound like you were asking for it and now you want to go rumble over it. Live, learn, move on.

"punchify it" --LOL

Or "re-format his hard drive"