Geeks With Blogs
Brian Biales because blogging is just the easiest way to remember things

First, what happened:

I can’t believe it, but my home machine was actually hacked into this weekend.  I had installed RealVNC 4.1.1 some time ago, so I could access my machine from afar, although frankly I use RDC much more often, as it is more secure.  I just never turned VNC off…  Well, I sure should have.  See this link for information about the vulnerability in this version of Real VNC:

 

http://secunia.com/advisories/20107/

 

The screen saver always locks my desktop, it keeps the kids off the computer unless authorized.  In the morning when my wife entered the logon password as usual, she watched all the icons on the desktop disappear, all that was left was the wallpaper.  Ctrl-alt-delete did nothing.  I went to another machine to review this one to see what might be wrong, and what I found put a lump in my throat.  The event log showed many connections to VNC, and following the last one, I saw my AntiVirus and many other services being shut down.  Beyond that, nothing was logged, but clearly someone had maliciously invaded my machine!  Paranoia kicked in, and I immediately turned off the machine.  Who knew what it was doing...

 

What I did about it:

Fortunately for me, I recently started making image backups of my system hard drive.  See my blog entry about that hereI was very curious what had been changed and altered, but I didn’t want to actually run the machine in its state.  So I booted my GParted CD, and made a copy of the current C: partition to some free space on my external USB drive.  Then I used my BartPE bootable CD, and used DriveImage XML to restore the C: partition to its state the last time I backed it up (about a week earlier).  I then restarted the machine, and, after immediately changing my logon password and disabling RealVNC, I did a file by file comparison between my current (restored) image, and the copy of the image (now the G: drive) that I had made before doing the restore.  I found some odd things, if anyone wants more details, I’d be happy to share them.  I am assuming it was the hacker who changed the following files in my system directory:

            Mrt.exe

            Msscp.dll

            Ntkrnlpa.exe

            Ntoskrnl.exe

 

I am very concerned that the password my wife entered was immediately sent to the hacker.  I have no way of knowing, really.  Having caught it quickly, though, and restoring the entire image, changing my password, and eliminating the source of the hack, I am pretty confident that I have a clean machine once again.

 

What to do to avoid this in the future:

Here is what I did wrong, and what I intend to do to fix it, because this could have been avoided.  If you have ideas that should be added to the list, please let me know…

 

1) Since forever, especially at home, it is my machine, I am master of it, and therefore I am a system administrator.  What a pain, logging off to install some software...  Well, I think I’ll bite the bullet and change my habits.  The hacker could never have stopped the antivirus software or done most of what was done if the machine were normally logged on as a user with little or no authority.  It is now time to protect my machine from myself and only log on with administrative authority when it really is necessary, as all security experts recommend.  This will be a hard habit to break.

 

2) Close ports that are not being used.  I stopped using VNC to access this machine, I should have uninstalled it.  At least I should have removed the port from the virtual server list in my NAT router.

 

3) On a regular basis, visit http://secunia.com/software_inspector/
This site has a Java based inspector that will look for signatures of application versions that are known to have vulnerabilities.  I discovered this when I googled “VNC vulnerability” to see if that could be how the hacker got in.  Google found the page pointed out at the top of this blog about this version of RealVNC, and I would have at least upgraded to a fixed version. 

 

4) Keep doing my drive image backups.  It is probably best to take the external drive off line following the backup, (assuming it is not needed for some other purpose) just to keep it safe from any hacking that does occur.  At least make sure the logged on user has only read access to it, and run the backup under another account.

 

I hope this never happens to you!

Posted on Monday, March 26, 2007 11:58 AM Disk Partitions , Backup , Windows XP | Back to top


Comments on this post: I've been hacked!

# re: I've been hacked!
Requesting Gravatar...
Brian,
I feel for you. As soon as I got your email about it I checked my router to make sure I didn't have my VNC port open. Luckily it was closed. I run WinVNC which creates a log file, I'm guessing RVNC does also. Have you checked in the log to see who and when they logged in? Additionally you can do a reverse IP lookup to get their ISP and general location. Alot of times if it's a dynamic IP the ISP won't have changed it, with the ISPs cooperation you could track it down right to the individual.
grc.com has a great service available for free called ShieldsUP! which tests your connection for open ports. I jsut ran that also and am in the clear.
Joe
Left by Joe on Mar 26, 2007 1:33 PM

# re: I've been hacked!
Requesting Gravatar...
Hey, Joe. The event log actually showed the IP address. Whois showed it belongs to British Telecom in London. I did report the incident to the Internet Crime Complaint center at http://www.ic3.gov/. I suppose I could be more proactive and report it directly to BT...
Left by Brian on Mar 26, 2007 2:28 PM

# re: I've been hacked!
Requesting Gravatar...
I just ran the software inspector and it found some problems with old versions of Flash and Java. Thanks for the link.
Left by Scott Kuhl on Mar 26, 2007 2:58 PM

Your comment:
 (will show your gravatar)


Copyright © Brian Biales | Powered by: GeeksWithBlogs.net