Tuesday, 15 March 2011

Beware vnc and upnp

My new linux box got hacked yesterday. I was careless.

My ADSL router has upnp support and it is turned on by default. I enabled "Remote Desktop" in Linux - which is a version of vnc - and decided not to set a password as it would not be accessible from outside the local network. That was my first mistake.

Last night I noticed a second connection to the linux box. Someone was using the browser and had connected to Western Union and was trying to install the flash plugin. They had not got very far as Fedora 14 does not install Flash on a 64bit system as it is still in beta so the install is not straightforward. I was able to disconnect this errant person before they got any further and I then disconnected the ADSL line from the modem to prevent another attempt and proceeded to diagnose what had happened.

I checked the preferences for VNC and noticed the automatically configure the network check box had been selected and that it was reporting an external address could be used to connect to it. I unchecked the box and it changed to reporting the local IP address again. The penny dropped. A quick check of the modem and, sure enougth, upnp was enabled. I disabled it immediately. Now VNC was unable to reconfigure the router. I could find nowhere in all the menues on the router where it reported the upnp settings that had been made and I had to turn the power off to make sure the port forward was definitely cleared. I also set a password for VNC.

I have used the port scanner at grc.com to check the ports and they all are blocked. I have also disabled ping as Shields Up! reported my modem was responding to it. Now my ports are quiet and my modem does not respond to pings.

This is not an unknown exploit. I must have accidentally enabled the network configuration option in VNC because you do not have to click exactly on the check box to enable it (clicking on the descriptive text is all that is needed). I was lucky the intruder did not decide to do anything malicious. They were trying to leave no trace. A careful check shows nothing else was done. The browser history shows a IP location check was done, followed by the Western Union web page being opened and then an attempt to install flash. The intruder even opened a new browser tab which would have left no trace and they could have cleared the browser history when they were finished.

So I was lucky. I am now going to be more careful. Upnp is going to stay turned off and VNC will always have a password. I have blocked the VNC ports on the router by forwarding them to a device which does not respond to them and tested using telnet and Shields Up! Hopefully that will keep out the intruder. Fortunately my IP address has changed - one advantage of not having a static IP.

[Added 27/Jan/2013] You may see this:
"Another user is trying to view your desktop. A user on the computer is trying to remotely view or control your desktop do you want to allow this".
Thanks Jerry for mentioning that message. I think I had the ask for confirmation option disabled.

3 comments:

Jerry said...

Yep, same thing happened to me this morning.

Last night, I booted up an ubunto 10 vm I hadn't used in months and walked in this morning to these messages from remote desktop asking if I wanted to let someone access my machine.

Which is spooky of course, because behind a nat firewall at home, no one from egypt or thailand or russia should be able to get to a vm running on my desktop.

Seems very stupid for ubuntu desktop to ship with remote desktop to configure the router via upnp. And it seems poor that vnc doesn't log access in /var/log/anywhere. And it seems really poor that my Netgear router doesn't keep a log of the last 24 hours of UPNP configurations.

Hey, if you are still maintaining this blog, you may consider adding the following text to it:

"Another user is trying to view your desktop. A user on the computer is trying to remotely view or control your desktop do you want to allow this".

That's what I googled at first when trying to solve the problem. AFTER I figured out the issue, I googled vnc upnp and found your blog post. But you may be able to help others find your post in the future a bit easier.

Thanks!

Michael Taylor said...

Thanks Jerry,
Sometimes it is hard to find anything useful with google until you figure out the best phrase to search on!

Cav said...

Same thing here...Googling this and reading your post helped me identify exactly what was going on. In my case, I first noticed something fishy when my '.xsession-errors' log file would grow by gigabytes per hour until my disk ran out of space. Looking at this file showed obvious brute-force authentication errors from VNC. Poked around for a while and found the Remote Desktop uPnP option enabled by default in my CentOS distribution...seriously??

Looking through my browser history on this machine, someone had actually succeeded in getting in and accessing PayPal...luckily not MY PayPal.

Definitely learned a lesson here. Never assume your machine is secure out-of-the-box, and always have an intimate knowledge of your router settings.

Thanks
Cav