Skip to main content

Beware vnc and upnp

My new linux box got hacked yesterday. I was careless.

My ADSL router has upnp support and it is turned on by default. I enabled "Remote Desktop" in Linux - which is a version of vnc - and decided not to set a password as it would not be accessible from outside the local network. That was my first mistake.

Last night I noticed a second connection to the linux box. Someone was using the browser and had connected to Western Union and was trying to install the flash plugin. They had not got very far as Fedora 14 does not install Flash on a 64bit system as it is still in beta so the install is not straightforward. I was able to disconnect this errant person before they got any further and I then disconnected the ADSL line from the modem to prevent another attempt and proceeded to diagnose what had happened.

I checked the preferences for VNC and noticed the automatically configure the network check box had been selected and that it was reporting an external address could be used to connect to it. I unchecked the box and it changed to reporting the local IP address again. The penny dropped. A quick check of the modem and, sure enougth, upnp was enabled. I disabled it immediately. Now VNC was unable to reconfigure the router. I could find nowhere in all the menues on the router where it reported the upnp settings that had been made and I had to turn the power off to make sure the port forward was definitely cleared. I also set a password for VNC.

I have used the port scanner at grc.com to check the ports and they all are blocked. I have also disabled ping as Shields Up! reported my modem was responding to it. Now my ports are quiet and my modem does not respond to pings.

This is not an unknown exploit. I must have accidentally enabled the network configuration option in VNC because you do not have to click exactly on the check box to enable it (clicking on the descriptive text is all that is needed). I was lucky the intruder did not decide to do anything malicious. They were trying to leave no trace. A careful check shows nothing else was done. The browser history shows a IP location check was done, followed by the Western Union web page being opened and then an attempt to install flash. The intruder even opened a new browser tab which would have left no trace and they could have cleared the browser history when they were finished.

So I was lucky. I am now going to be more careful. Upnp is going to stay turned off and VNC will always have a password. I have blocked the VNC ports on the router by forwarding them to a device which does not respond to them and tested using telnet and Shields Up! Hopefully that will keep out the intruder. Fortunately my IP address has changed - one advantage of not having a static IP.

[Added 27/Jan/2013] You may see this:
"Another user is trying to view your desktop. A user on the computer is trying to remotely view or control your desktop do you want to allow this".
Thanks Jerry for mentioning that message. I think I had the ask for confirmation option disabled.

Comments

Jerry said…
Yep, same thing happened to me this morning.

Last night, I booted up an ubunto 10 vm I hadn't used in months and walked in this morning to these messages from remote desktop asking if I wanted to let someone access my machine.

Which is spooky of course, because behind a nat firewall at home, no one from egypt or thailand or russia should be able to get to a vm running on my desktop.

Seems very stupid for ubuntu desktop to ship with remote desktop to configure the router via upnp. And it seems poor that vnc doesn't log access in /var/log/anywhere. And it seems really poor that my Netgear router doesn't keep a log of the last 24 hours of UPNP configurations.

Hey, if you are still maintaining this blog, you may consider adding the following text to it:

"Another user is trying to view your desktop. A user on the computer is trying to remotely view or control your desktop do you want to allow this".

That's what I googled at first when trying to solve the problem. AFTER I figured out the issue, I googled vnc upnp and found your blog post. But you may be able to help others find your post in the future a bit easier.

Thanks!
Michael Taylor said…
Thanks Jerry,
Sometimes it is hard to find anything useful with google until you figure out the best phrase to search on!
Cav said…
Same thing here...Googling this and reading your post helped me identify exactly what was going on. In my case, I first noticed something fishy when my '.xsession-errors' log file would grow by gigabytes per hour until my disk ran out of space. Looking at this file showed obvious brute-force authentication errors from VNC. Poked around for a while and found the Remote Desktop uPnP option enabled by default in my CentOS distribution...seriously??

Looking through my browser history on this machine, someone had actually succeeded in getting in and accessing PayPal...luckily not MY PayPal.

Definitely learned a lesson here. Never assume your machine is secure out-of-the-box, and always have an intimate knowledge of your router settings.

Thanks
Cav

Popular posts from this blog

The Extended Attributes Are Inconsistent in Windows 8

I have upgraded my laptop to Windows 8 and all was fine for about three hours and then I started to get an error when trying to run any application that required Administrator privileges. Half an hour of Googling led me to this blog post   Case of the broken uac prompt This problem was caused by downloading themes. The final theme I had decided on included a new sound theme. Clearly at least one of the sounds did not play (the one for the UAC prompt!). Changing the sound theme (right click on desktop, choose "personalisation") to Windows Default sorted out the problem. Doing a clean install would also have fixed it but that would have been a drastic solution and as soon as I installed a new theme it may have happened again.

"No child processes" error on Linux

A problem was reported by a customer. They were getting a failure and in the logs it reported error → waitpid failed 'Reason: No child processes' The “No child processes” error came from waitpid() after using  fork/spawn to launch a utility to load data into a data base. Upon detailed investigation it appears it is possible that some other process that the user is running has changed the default handler for SIGCHLD - possibly the shell (e.g. bash!) used to launch our server processes. If the signal handler is set to SIG_IGN then when a process is started using fork()/exec() the return code from the process is NOT returned and waitpid() cannot retrieve the response code. The most likely reason for "No child processes" error from waitpid() is that the signal handler for child processes (SIGCHLD) is not set to SIG_DFL. This should not be possible however it seems that on Linux a process run in the shell (or maybe a shell process) can set it