LinuxCrusader 0 Posted April 14, 2004 One of my friends just told me that it seems that someone is being accessing his desktop. Here's the scoop: He has two dual systems in his computer, Mandrake 10C and WinXP. When he was running XP, he said that all of sudden his Linux OS opened up and it seemed like if some was acessing all his files in his computer and now there's even an icon, or shorcut, placed in his desktop from whoever was accessing his computer. Anybody knows what's happenning here? Is it because he has Linux now installed in his computer. I'm imagining that someone is using vmware, or one of those programs that are used to access a computer remotely. I'm not sure if it is because he has Mandrake in his computer, or if it is a security hole in XP or linux... Please post your suggestions here how he can fix this problem...I'll post more specifics later. Share this post Link to post
SoulNothing 0 Posted April 15, 2004 first thing i got to ask is does your friend have a firewall or any internet protection because ive dealt with crackers before and this has happened befor since i have constant access i run two firewalls im sure danleff or dapperdan can help more but ill give some links to some firewalls grab this as a start http://download.com.com/3000-2092-10247416.html?tag=lst-0-1 sygate is really good use this to monitor whose gaining access i would also run a virus scan incase a backdoor is installed http://download.com.com/3000-2092-10282359.html?tag=lst-0-1 zone alarm is not as advanced but it helps what these will do is ask for guarentee as to what gains internet access and what can access your computer also disable any p2p networks id need a bit more info for more help im just providing some first step security there isnt enough info for an exact answer also possibly find the source of the icon and remove it i know this isnt the most help but at least the firewalls will be a start Share this post Link to post
Dapper Dan 0 Posted April 15, 2004 He was in XP and all of a sudden his Linux opened up? As in, the computer suddenly went down and rebooted into Linux? If it is an XP security issue, do what SoulNothing said and get a good strong and restrictive firewall. If it is Linux that is cracked, (which is much ore unlikely) tell him to change his usernames and passwords in both immediately and reconfigure the firewall to "paranoid." Especially have him change root's password to something very abstract. I'd be willing to bet it's an XP security issue. If that it the case, he should only go online using Linux until he gets it fixed. I hope your friend gets it sorted out. Share this post Link to post
blackpage 0 Posted April 15, 2004 hey there, Firstly: Unlpug network-cable/connection to internet IN CASE PROB COMES FROM XP: in addition to what SoulNothing and DapperDan have already mentioned: I'd also blame XP first, so you should tell your friend to firstly close the "usual entrances". You haven't specified how your friend is connected to the internet, but in case this connection is established via a network-card (NIC), make sure that "File and Printer Sharing" is disabled in the respective NIC's properties (Control Panel -> Network -> the NIC in question -> Properties). I don't know XP, and if the built-in "firewall" closes these ports automatically, but it should be worth a look. Also I'd recommend a profound check of XP to see if there's any malware working in the background (a virus scanner should be at hand, and also tools like "HijackThis" have proven valuable). Besides P2P, and the things my co-posters have mentioned, disable all RDP-features (remote desktop) that might be running. These are "Netmeeting" or "VNC", just to name 2 popular ones. IN CASE PROB COMES FROM MDK: (pretty unikely) Dunno what packages your friend has chosen during installation, but you can use the drakconf-application to see what daemons/services are started at boottime, and which might allow remote access. Look out for stuff like "TightVNC", "OpenSSH" (sshd), "ProFTP" or "Apache" (the latter ones are of minor concern). You can check these settings in Drakconf under "System" -> "Services" (or similar; got a german version here). Also in Drakconf you can bring up the MDK-firewall (shorewall). Could be a good idea to use this easy-to-configure tool for a start in tightening and hardening your friend's machine. Hopefully you/your friend can get this fixed ... and: as it is so important these days: get some firewall solution as mentioned by SN & DD. For the XP-side I'd also recommend a view on the Kerio-products which are quite flexible (still though, I miss my favourite ... "where art though, AtGuard" . If you want to peek into a really semi-professional solution, take a look at WinRoute. For two years now we use this solution as (a) NAT-Router and Firewall for a parts of our internal network, and what can I say - it's kick-ass (btw. runs under W2K/P66/120MB RAM; so it's not as "hungry" as one might think). hope this helps Share this post Link to post
LinuxCrusader 0 Posted April 15, 2004 Yeah, bad news is that he doesn't have firewall! I asked him to post the specifics in here. Hopefully he'll do it later on today, but yes...he said that when he came back from work lot of his files like his C: drive and other files were showing on his WinXP desktop, and a bunch of his files were modified. He's computer rebooted aparently and went into linux and they were messing around with Kopete and whatever that could get they're hands on. I didn't know that someone would find out if a person has Linux in their computer by going through Wins. I guessing they saw the types of partitions he had probably a light clicked in their heads that it was a Linux HD, but still, I think he setted up his Linux installation to not act as a sever or in other words not let any ftp, etc. remote connections to his computer. Shouldn't shorewall catch this. We'll see what he says... Share this post Link to post
danleff 0 Posted April 16, 2004 This sure sounds like a Win XP exploit. Someone is using Remote Desktop to access his computer. I bet he has cable internet connection. If so, he needs to disconnect his computer(s) from the connection and also call the cable company to report the intrusion. They may have some troubleshooting that he can implement, as well. For example, RoadRunner has free firewall software that he can download, if he has this service. If he has a wireless connection, then someone in the immediate neighborhood could be hacking his connection.If so, he needs to secure the wireless system, or revert to cable only and see if the intrusion stops. Share this post Link to post
LinuxCrusader 0 Posted April 16, 2004 Your mostly right Danleff. He's connected through cable and it is roadrunner, too! How only had the WinXp firewall running, which we all know it doesn't even count, but would it be there logged him who was the one that caused the intrusion? So he has to report this to his cable company... I'm guessing he's still having trouble 'cause he hasn't post it anything yet... Share this post Link to post
danleff 0 Posted April 16, 2004 The idea is to notify RoadRunner to put notice that this is happening. This way, they may be able to assist in identifying the issue, even if at their end. Also, I wonder if this is on wireless, which could be any of his neighbors! Or, anyone in the neighborhood/cruising the same, who hacked in. What troubles me is that the person may have some knoledge of Linux-of course, they may have just been snooping around. This points to assuring the need to have your system protected, even plugging some of the holes with XP updates. Share this post Link to post
jimf43 0 Posted April 17, 2004 Originally posted by danleff: Quote: The idea is to notify RoadRunner to put notice that this is happening. This way, they may be able to assist in identifying the issue, even if at their end. Also, I wonder if this is on wireless, which could be any of his neighbors! Or, anyone in the neighborhood/cruising the same, who hacked in. What troubles me is that the person may have some knoledge of Linux-of course, they may have just been snooping around. This points to assuring the need to have your system protected, even plugging some of the holes with XP updates. For all window$ users Zone alarm is one of the better products around, and the free version will do the job with little or no configuration. I also recommend connecting to cable through a router/gateway. That gives you a hardware firewall and isn't that expensive, even if you only have one computer. Incidentally, Road Runner offers free AV and Firewall software and has been notifying its users that they need to install it. IMO this guy is an idiot who deserves what he got. Share this post Link to post
LinuxCrusader 0 Posted April 17, 2004 Quote: For all window$ users Zone alarm is one of the better products around, and the free version will do the job with little or no configuration. I also recommend connecting to cable through a router/gateway. That gives you a hardware firewall and isn't that expensive, even if you only have one computer. Incidentally, Road Runner offers free AV and Firewall software and has been notifying its users that they need to install it. IMO this guy is an idiot who deserves what he got. I think he's connected through a router, but offending please. He's my friend and he's having a hard time right now. Share this post Link to post
jimf43 0 Posted April 17, 2004 Quote: I think he's connected through a router, but offending please. He's my friend and he's having a hard time right now. Sorry, but your friend is in the process of learning a hard lesson ;-). If I had to deal with the situation, I'd (1) disconnect from the Internet, (2) backup any data (only Data), (3) Re-format any HDs, and reinstall XP and MD. It's the only way to make sure that the system's clean. If he has a backup image that will work too, but, it doesn't sound like he's real prepared. Install ZoneAlarm before you reconnect. If he is using a router with hardware firewall (doesn't sound like it), make sure that is configured. Also, make sure that the Firewall server is running and configured in MD. I'm pretty sure after this experence he won't make the same mistakes again ;-). Share this post Link to post
SoulNothing 0 Posted April 18, 2004 Originally posted by jimf43: Quote: For all window$ users Zone alarm is one of the better products around, and the free version will do the job with little or no configuration. I also recommend connecting to cable through a router/gateway. That gives you a hardware firewall and isn't that expensive, even if you only have one computer. Incidentally, Road Runner offers free AV and Firewall software and has been notifying its users that they need to install it. IMO this guy is an idiot who deserves what he got. totally agree zone alarm is excellent but i also love sygate more advanced options both free id recommend running two at once specially since hes on cable they are somtimes unstable together but most of the time they will work hand in hand Share this post Link to post
Dapper Dan 0 Posted April 18, 2004 When I was using Windows, (and thank god that's behind me now.. ), I did prefer Sygate over ZoneAlarm. To me, Sygate was just more on top of what the real issues were with Windows security. I also felt that Sygate gave more tools and utilities by which to manage security, and was more suited for tailoring it for one's specific needs. Both are good though. Share this post Link to post