Help
One of my friends just told me that it seems that someone is being accessing his desktop. Here's the scoop:
He has two dual systems in his computer, Mandrake 10C and WinXP. When he was running XP, he said that all of sudden his Linux OS opened up and it seemed like if some was acessing all his files in his computer and now there's even an icon, or shorcut, placed in his desktop from whoever was accessing his computer.
Anybody knows what's happenning here? Is it because he has Linux now installed in his computer. I'm imagining that someone is using vmware, or one of those programs that are used to access a computer remotely. I'm not sure if it is because he has Mandrake in his computer, or if it is a security hole in XP or linux...
Please post your suggestions here how he can fix this problem...I'll post more specifics later.
Page 1 of 1
Help needed!!!
#1
LinuxCrusader 
- member
- Group: Members
- Posts: 165
- Joined: 31-January 04
Posted 15 April 2004 - 12:23 AM
#2
SoulNothing
- enthusiast
- Group: Members
- Posts: 309
- Joined: 24-February 04
Posted 15 April 2004 - 02:29 AM
first thing i got to ask is does your friend have a firewall or any internet protection because ive dealt with crackers before and this has happened befor since i have constant access i run two firewalls
im sure danleff or dapperdan can help more
but ill give some links to some firewalls grab this as a start
http://download.com.com/3000-2092-10247416.html?tag=lst-0-1
sygate is really good use this to monitor whose gaining access i would also run a virus scan incase a backdoor is installed
http://download.com.com/3000-2092-10282359.html?tag=lst-0-1
zone alarm is not as advanced but it helps
what these will do is ask for guarentee as to what gains internet access and what can access your computer
also disable any p2p networks
id need a bit more info for more help
im just providing some first step security
there isnt enough info for an exact answer
also possibly find the source of the icon and remove it
i know this isnt the most help but at least the firewalls will be a start
im sure danleff or dapperdan can help more
but ill give some links to some firewalls grab this as a start
http://download.com.com/3000-2092-10247416.html?tag=lst-0-1
sygate is really good use this to monitor whose gaining access i would also run a virus scan incase a backdoor is installed
http://download.com.com/3000-2092-10282359.html?tag=lst-0-1
zone alarm is not as advanced but it helps
what these will do is ask for guarentee as to what gains internet access and what can access your computer
also disable any p2p networks
id need a bit more info for more help
im just providing some first step security
there isnt enough info for an exact answer
also possibly find the source of the icon and remove it
i know this isnt the most help but at least the firewalls will be a start
#3
Dapper Dan
- Pooh-Bah
-
- Group: Moderators
- Posts: 1703
- Joined: 27-September 03
Posted 15 April 2004 - 03:42 PM
He was in XP and all of a sudden his Linux opened up? As in, the computer suddenly went down and rebooted into Linux? If it is an XP security issue, do what SoulNothing said and get a good strong and restrictive firewall. If it is Linux that is cracked, (which is much ore unlikely) tell him to change his usernames and passwords in both immediately and reconfigure the firewall to "paranoid." Especially have him change root's password to something very abstract. I'd be willing to bet it's an XP security issue. If that it the case, he should only go online using Linux until he gets it fixed. I hope your friend gets it sorted out.
#4
blackpage
- member
- Group: Members
- Posts: 120
- Joined: 23-March 04
Posted 15 April 2004 - 07:55 PM
hey there,
Firstly: Unlpug network-cable/connection to internet
IN CASE PROB COMES FROM XP:
in addition to what SoulNothing and DapperDan have already mentioned: I'd also blame XP first, so you should tell your friend to firstly close the "usual entrances". You haven't specified how your friend is connected to the internet, but in case this connection is established via a network-card (NIC), make sure that "File and Printer Sharing" is disabled in the respective NIC's properties (Control Panel -> Network -> the NIC in question -> Properties). I don't know XP, and if the built-in "firewall" closes these ports automatically, but it should be worth a look.
Also I'd recommend a profound check of XP to see if there's any malware working in the background (a virus scanner should be at hand, and also tools like "HijackThis" have proven valuable).
Besides P2P, and the things my co-posters have mentioned, disable all RDP-features (remote desktop) that might be running. These are "Netmeeting" or "VNC", just to name 2 popular ones.
IN CASE PROB COMES FROM MDK: (pretty unikely)
Dunno what packages your friend has chosen during installation, but you can use the drakconf-application to see what daemons/services are started at boottime, and which might allow remote access.
Look out for stuff like "TightVNC", "OpenSSH" (sshd), "ProFTP" or "Apache" (the latter ones are of minor concern). You can check these settings in Drakconf under "System" -> "Services" (or similar; got a german version here).
Also in Drakconf you can bring up the MDK-firewall (shorewall). Could be a good idea to use this easy-to-configure tool for a start in tightening and hardening your friend's machine.
Hopefully you/your friend can get this fixed ... and: as it is so important these days: get some firewall solution as mentioned by SN & DD.
For the XP-side I'd also recommend a view on the Kerio-products which are quite flexible (still though, I miss my favourite ... "where art though, AtGuard"
.
If you want to peek into a really semi-professional solution, take a look at WinRoute. For two years now we use this solution as (a) NAT-Router and Firewall for a parts of our internal network, and what can I say - it's kick-ass (btw. runs under W2K/P66/120MB RAM; so it's not as "hungry" as one might think).
hope this helps
Firstly: Unlpug network-cable/connection to internet
IN CASE PROB COMES FROM XP:
in addition to what SoulNothing and DapperDan have already mentioned: I'd also blame XP first, so you should tell your friend to firstly close the "usual entrances". You haven't specified how your friend is connected to the internet, but in case this connection is established via a network-card (NIC), make sure that "File and Printer Sharing" is disabled in the respective NIC's properties (Control Panel -> Network -> the NIC in question -> Properties). I don't know XP, and if the built-in "firewall" closes these ports automatically, but it should be worth a look.
Also I'd recommend a profound check of XP to see if there's any malware working in the background (a virus scanner should be at hand, and also tools like "HijackThis" have proven valuable).
Besides P2P, and the things my co-posters have mentioned, disable all RDP-features (remote desktop) that might be running. These are "Netmeeting" or "VNC", just to name 2 popular ones.
IN CASE PROB COMES FROM MDK: (pretty unikely)
Dunno what packages your friend has chosen during installation, but you can use the drakconf-application to see what daemons/services are started at boottime, and which might allow remote access.
Look out for stuff like "TightVNC", "OpenSSH" (sshd), "ProFTP" or "Apache" (the latter ones are of minor concern). You can check these settings in Drakconf under "System" -> "Services" (or similar; got a german version here).
Also in Drakconf you can bring up the MDK-firewall (shorewall). Could be a good idea to use this easy-to-configure tool for a start in tightening and hardening your friend's machine.
Hopefully you/your friend can get this fixed ... and: as it is so important these days: get some firewall solution as mentioned by SN & DD.
For the XP-side I'd also recommend a view on the Kerio-products which are quite flexible (still though, I miss my favourite ... "where art though, AtGuard"
.If you want to peek into a really semi-professional solution, take a look at WinRoute. For two years now we use this solution as (a) NAT-Router and Firewall for a parts of our internal network, and what can I say - it's kick-ass (btw. runs under W2K/P66/120MB RAM; so it's not as "hungry" as one might think).
hope this helps
#5
LinuxCrusader
- member
- Group: Members
- Posts: 165
- Joined: 31-January 04
Posted 15 April 2004 - 10:48 PM
Yeah, bad news is that he doesn't have firewall!
I asked him to post the specifics in here. Hopefully he'll do it later on today, but yes...he said that when he came back from work lot of his files like his C: drive and other files were showing on his WinXP desktop, and a bunch of his files were modified. He's computer rebooted aparently and went into linux and they were messing around with Kopete and whatever that could get they're hands on.
I didn't know that someone would find out if a person has Linux in their computer by going through Wins. I guessing they saw the types of partitions he had probably a light clicked in their heads that it was a Linux HD, but still, I think he setted up his Linux installation to not act as a sever or in other words not let any ftp, etc. remote connections to his computer. Shouldn't shorewall catch this. We'll see what he says...
I asked him to post the specifics in here. Hopefully he'll do it later on today, but yes...he said that when he came back from work lot of his files like his C: drive and other files were showing on his WinXP desktop, and a bunch of his files were modified. He's computer rebooted aparently and went into linux and they were messing around with Kopete and whatever that could get they're hands on.
I didn't know that someone would find out if a person has Linux in their computer by going through Wins. I guessing they saw the types of partitions he had probably a light clicked in their heads that it was a Linux HD, but still, I think he setted up his Linux installation to not act as a sever or in other words not let any ftp, etc. remote connections to his computer. Shouldn't shorewall catch this. We'll see what he says...
#6
danleff
- Carpal Tunnel
-
- Group: Moderators
- Posts: 2902
- Joined: 30-August 02
Posted 16 April 2004 - 02:35 AM
This sure sounds like a Win XP exploit. Someone is using Remote Desktop to access his computer. I bet he has cable internet connection. If so, he needs to disconnect his computer(s) from the connection and also call the cable company to report the intrusion. They may have some troubleshooting that he can implement, as well. For example, RoadRunner has free firewall software that he can download, if he has this service.
If he has a wireless connection, then someone in the immediate neighborhood could be hacking his connection.If so, he needs to secure the wireless system, or revert to cable only and see if the intrusion stops.
If he has a wireless connection, then someone in the immediate neighborhood could be hacking his connection.If so, he needs to secure the wireless system, or revert to cable only and see if the intrusion stops.
#7
LinuxCrusader
- member
- Group: Members
- Posts: 165
- Joined: 31-January 04
Posted 16 April 2004 - 02:44 AM
Your mostly right Danleff. He's connected through cable and it is roadrunner, too!
How only had the WinXp firewall running, which we all know it doesn't even count, but would it be there logged him who was the one that caused the intrusion? So he has to report this to his cable company...
I'm guessing he's still having trouble 'cause he hasn't post it anything yet...
How only had the WinXp firewall running, which we all know it doesn't even count, but would it be there logged him who was the one that caused the intrusion? So he has to report this to his cable company...
I'm guessing he's still having trouble 'cause he hasn't post it anything yet...
#8
danleff
- Carpal Tunnel
-
- Group: Moderators
- Posts: 2902
- Joined: 30-August 02
Posted 16 April 2004 - 11:23 PM
The idea is to notify RoadRunner to put notice that this is happening. This way, they may be able to assist in identifying the issue, even if at their end. Also, I wonder if this is on wireless, which could be any of his neighbors! Or, anyone in the neighborhood/cruising the same, who hacked in. What troubles me is that the person may have some knoledge of Linux-of course, they may have just been snooping around.
This points to assuring the need to have your system protected, even plugging some of the holes with XP updates.
This points to assuring the need to have your system protected, even plugging some of the holes with XP updates.
#9
jimf43
- enthusiast
- Group: Members
- Posts: 397
- Joined: 13-October 01
Posted 17 April 2004 - 02:47 AM
Originally posted by danleff:
For all window$ users Zone alarm is one of the better products around, and the free version will do the job with little or no configuration. I also recommend connecting to cable through a router/gateway. That gives you a hardware firewall and isn't that expensive, even if you only have one computer. Incidentally, Road Runner offers free AV and Firewall software and has been notifying its users that they need to install it. IMO this guy is an idiot who deserves what he got.
Quote:
The idea is to notify RoadRunner to put notice that this is happening. This way, they may be able to assist in identifying the issue, even if at their end. Also, I wonder if this is on wireless, which could be any of his neighbors! Or, anyone in the neighborhood/cruising the same, who hacked in. What troubles me is that the person may have some knoledge of Linux-of course, they may have just been snooping around.
This points to assuring the need to have your system protected, even plugging some of the holes with XP updates.
This points to assuring the need to have your system protected, even plugging some of the holes with XP updates.
For all window$ users Zone alarm is one of the better products around, and the free version will do the job with little or no configuration. I also recommend connecting to cable through a router/gateway. That gives you a hardware firewall and isn't that expensive, even if you only have one computer. Incidentally, Road Runner offers free AV and Firewall software and has been notifying its users that they need to install it. IMO this guy is an idiot who deserves what he got.
#10
LinuxCrusader
- member
- Group: Members
- Posts: 165
- Joined: 31-January 04
Posted 17 April 2004 - 03:25 AM
Quote:
For all window$ users Zone alarm is one of the better products around, and the free version will do the job with little or no configuration. I also recommend connecting to cable through a router/gateway. That gives you a hardware firewall and isn't that expensive, even if you only have one computer. Incidentally, Road Runner offers free AV and Firewall software and has been notifying its users that they need to install it. IMO this guy is an idiot who deserves what he got.
I think he's connected through a router, but offending please. He's my friend and he's having a hard time right now.
#11
jimf43
- enthusiast
- Group: Members
- Posts: 397
- Joined: 13-October 01
Posted 17 April 2004 - 04:55 AM
Quote:
I think he's connected through a router, but offending please. He's my friend and he's having a hard time right now.
Sorry, but your friend is in the process of learning a hard lesson ;-). If I had to deal with the situation, I'd (1) disconnect from the Internet, (2) backup any data (only Data), (3) Re-format any HDs, and reinstall XP and MD. It's the only way to make sure that the system's clean. If he has a backup image that will work too, but, it doesn't sound like he's real prepared. Install ZoneAlarm before you reconnect. If he is using a router with hardware firewall (doesn't sound like it), make sure that is configured. Also, make sure that the Firewall server is running and configured in MD. I'm pretty sure after this experence he won't make the same mistakes again ;-).
#12
SoulNothing
- enthusiast
- Group: Members
- Posts: 309
- Joined: 24-February 04
Posted 18 April 2004 - 06:13 AM
Originally posted by jimf43:
totally agree zone alarm is excellent but i also love sygate more advanced options both free id recommend running two at once specially since hes on cable they are somtimes unstable together but most of the time they will work hand in hand
Quote:
For all window$ users Zone alarm is one of the better products around, and the free version will do the job with little or no configuration. I also recommend connecting to cable through a router/gateway. That gives you a hardware firewall and isn't that expensive, even if you only have one computer. Incidentally, Road Runner offers free AV and Firewall software and has been notifying its users that they need to install it. IMO this guy is an idiot who deserves what he got.
totally agree zone alarm is excellent but i also love sygate more advanced options both free id recommend running two at once specially since hes on cable they are somtimes unstable together but most of the time they will work hand in hand
#13
Dapper Dan
- Pooh-Bah
-
- Group: Moderators
- Posts: 1703
- Joined: 27-September 03
Posted 18 April 2004 - 06:47 AM
When I was using Windows, (and thank god that's behind me now.. ;)), I did prefer Sygate over ZoneAlarm. To me, Sygate was just more on top of what the real issues were with Windows security. I also felt that Sygate gave more tools and utilities by which to manage security, and was more suited for tailoring it for one's specific needs. Both are good though.
Share this topic:
Page 1 of 1