Beware, i was hacked

Armo

my machine was hijacked by 1 if not 2 people ranging from

83.67.86.196
83.196.74.94

both of which originate from Amsterdam

they installed a remote administration tool as well as ServUFTP and ServUDaemon. on 2/2/2006 @ approx 2:48AM east.

they hijacked my RealVNC service when i was using my machine one day. as i saw my cursor move on its own to browse one of my drives properties. I have since done a system restore to remove all inlaid DLL callers and EXE's from the registries, as well as the services that run on the machine. I also locked down my machine.

is there any sort of action i can take against these people knowing the DNS servers they used as IP addresses, i also have audit logs of when they connected. also can a linksys router block subnets?

Trogan

Armo, I'm working on a thread here. A similar thing is happening to the user in the thread as what your saying...

EDIT: If the problem persists, i'l tell the user to do a system restore like you did.

Armo

OK, ill read throuhg it and hopefully have some input.

I also found out what they did with the FTP, from 2AM till about 9 PM, when i got home from work, they had uploaded 14 gigs of french movies. see now had they been good movies in english i would have let them keep going, lol

sfleuriet

Man that really sucks... ServUFTP and ServUDaemon are very good programs that I have used myself.

Armo

lol, i bet they freaked out when they saw how much space i have, lol. i still cant belive they sent me 14 gigs in about 15 hours. just everyone be careful adn dont become a

hypermood

Out of curiosity, did they brute force your password?

Armo

well realvnc runs as a service that awaits inbound connections. also that same machine is in the dmz so theres no real telling how they did irt. i mean u can do a port scan and see the waiting connection in vnc. so now i have the security beefed up on it with a hugly improved password and i made a conection list of valid ips i allow to connect to it. i may just take the server down when i get home

Bud

that sounds like something that would happen to you armo go with remotlyanywhere its soo nice. I switch my ports every other week to, oh yea all high level too. How much free space do you have?

Armo

mm on my D: about 160 gigs. on my array its about 325gigs

Bud

how many arrays do u have?

Armo

just one array and one volume on it at 1.09TB

Bud

ah i see

drasnor

A machine in Poland tried to brute force the SSH server on SM25 and failed thankfully. I added his IP to SM25's block list and forwarded the log file to his ISP. Hopefully they'll do something but I'm not holding my breath.

Funny thing, they never got to guess any passwords because they couldn't guess the login name. I find it odd that they tried every variation of "admin" under the sun and varieties of common names but never tried the most obvious one: root.

-drasnor

Armo

root huh.. hmmm DNS lookup drasnor...

GrayFox

drasnor wrote:

A machine in Poland tried to brute force the SSH server on SM25 and failed thankfully. I added his IP to SM25's block list and forwarded the log file to his ISP. Hopefully they'll do something but I'm not holding my breath.

Funny thing, they never got to guess any passwords because they couldn't guess the login name. I find it odd that they tried every variation of "admin" under the sun and varieties of common names but never tried the most obvious one: root.

-drasnor

A more effective solution would be to change the ssh port

/etc/ssh/sshd_config

is the location of the config

Its a very bad idea to leave ssh on the default port unless you have ssh login as root disabled and your box is urber secure.


Edit:Also the best way to ban anyone is to do a reverse dns on anyone who connects to your server then ban anyone using the targets dns server.

drasnor

Not a bad idea. Of course, now it's uber-secure; offline, in a box, waiting for shipment.

-drasnor