My new linux box got hacked yesterday. I was careless.
My ADSL router has upnp support and it is turned on by default. I enabled "Remote Desktop" in Linux - which is a version of vnc - and decided not to set a password as it would not be accessible from outside the local network. That was my first mistake.
Last night I noticed a second connection to the linux box. Someone was using the browser and had connected to Western Union and was trying to install the flash plugin. They had not got very far as Fedora 14 does not install Flash on a 64bit system as it is still in beta so the install is not straightforward. I was able to disconnect this errant person before they got any further and I then disconnected the ADSL line from the modem to prevent another attempt and proceeded to diagnose what had happened.
I checked the preferences for VNC and noticed the automatically configure the network check box had been selected and that it was reporting an external address could be used to connect to it. I unchecked the box and it changed to reporting the local IP address again. The penny dropped. A quick check of the modem and, sure enougth, upnp was enabled. I disabled it immediately. Now VNC was unable to reconfigure the router. I could find nowhere in all the menues on the router where it reported the upnp settings that had been made and I had to turn the power off to make sure the port forward was definitely cleared. I also set a password for VNC.
I have used the port scanner at grc.com to check the ports and they all are blocked. I have also disabled ping as Shields Up! reported my modem was responding to it. Now my ports are quiet and my modem does not respond to pings.
This is not an unknown exploit. I must have accidentally enabled the network configuration option in VNC because you do not have to click exactly on the check box to enable it (clicking on the descriptive text is all that is needed). I was lucky the intruder did not decide to do anything malicious. They were trying to leave no trace. A careful check shows nothing else was done. The browser history shows a IP location check was done, followed by the Western Union web page being opened and then an attempt to install flash. The intruder even opened a new browser tab which would have left no trace and they could have cleared the browser history when they were finished.
So I was lucky. I am now going to be more careful. Upnp is going to stay turned off and VNC will always have a password. I have blocked the VNC ports on the router by forwarding them to a device which does not respond to them and tested using telnet and Shields Up! Hopefully that will keep out the intruder. Fortunately my IP address has changed - one advantage of not having a static IP.
[Added 27/Jan/2013] You may see this:
"Another user is trying to view your desktop. A user on the computer is
trying to remotely view or control your desktop do you want to allow
Thanks Jerry for mentioning that message. I think I had the ask for confirmation option disabled.