4

I recently let a hacker (who I met once and don't know too well) connect to my computer through (I guess it was remote access)- I had to fill in my IP on a third party website and click a button and he had full access to my desktop and used my command terminal in Ubuntu 11.04 to do a series of installations (that I needed help with) and then disconnected.

Shortly after, I started experiencing random things- solitaire games randomly being opened when I return after leaving it unattended and some other odd things.

The icing on the cake was this:

When I typed the 'who' command in the terminal, here's what I got:

*'myusername' tty7 2007-04-26 00:14 (:0)

*'myusername' pts/0 2011-11-11 21:45 (:0)

So my concern is that I didn't even own this laptop at that date, yet alone have Ubuntu dual booted on my system.

Think I'm being hacked? or is that just the date of the origin of Natty desktop environment?

Who knows. I might be paranoid.

Erik Lipkin
  • 59
  • What was the website that he had you go to? – TheXed Mar 01 '12 at 00:40
  • He said let's open up some ports so I can just SSH in and try to figure this stuff out had me go to http://192.168.1.1 and follow these instructions....link. Then Select the Applications & Gaming tab, Click Port Range Forward if not already selected, and forward port 2200 to port 22 on 192.168.1.101 (my comp). – Erik Lipkin Mar 01 '12 at 01:06
  • Natty Narwhal was released April 28th, 2011 – Marco Ceppi Mar 01 '12 at 01:09
  • 1
    I think this would be better suited for http://ubuntuforums.org/ – James Mar 01 '12 at 02:33

2 Answers2

9

If you think you are being hacked, there are several quick things you can do to stop remote access:

  1. Run vino-preferences and see if it is activated. If it is, uncheck all options and if you need it then change the password.

  2. Change your user password. That would make it tough to access via ssh with that user.

  3. Verify that there is no other user account. From terminal you can do something like this: cat /etc/passwd|grep '/bin/bash' but there are other GUI and terminal ways.

  4. Disable the SSH server if you happen to have it install. Type sudo apt-get purge openssh-server. If you don't have nothing will happen. If you do have it, it will ask you for removal.

Up to now you have just blocked the VNC and SSH services from being accessed remotely.

Now check if you have some script running when the PC starts. For example something that is being send to somebody outside. This implies having to check a lot of places. For example:

  • Check all /etc/rc* folders. For example /etc/rc0.d, /etc/rc1.d....
  • Check /etc/init.d from a weird service that is not supposed to be there.
  • Check that cron is not running something. Example: crontab -e will show what cron runs for your user.
  • Check that ufw is enabled and does not have some port forward. Also check iptables for this. If a port is forward it might look like he is trying to have direct access to the PC.
  • Any other place that might be used for automatic running something.

There are many other ways but this are the quick and basic.

Luis Alvarado
  • 211,503
  • Awesome, Thank you. That laptop actually ended up crashing fully. And now I am worried that since he had access to my router, that just using all that information that I provided him with would give him the ability to connect to new laptops I used on that same network in the future (main concern) – Erik Lipkin Mar 01 '12 at 01:58
  • 1
    Updated question to include the firewall since I read what you said in the comments. I actually recommend, backup your documents, music, etc and do a clean install. That will solve EVERYTHING. I say this because there are so many ways to hack someone when you have full control. So even if the basics that I just mentioned above help you, in about 90% of the cases, they will not since they are pretty basic stuff. A "good" hacker might do some other stuff I will not go into detail here but having full access means anything goes. Also reset the router to default. Do a fresh install of everything. – Luis Alvarado Mar 01 '12 at 02:35
5

192.168.1.1 is the IP address of your router, it's not a third party website. What you have done is opened up either SSH, or VNC, access to your machine by forwarding that port out. If you repeat the steps but instead of entering the values remove the values you should be able to severe access. It's odd that it would show a user logged in from 2007, after removing the port forward restart your machine to log any connected sessions off.

Marco Ceppi
  • 48,101
  • 1
    Yeah I agree with Marco, basically you need to disable port forwarding... kinda odd that someone would hack your computer just to play solitaire lol... but I never understood the value in hacking in the first place... – TheXed Mar 01 '12 at 01:26
  • 1
    Thank you. What I was most paranoid about was that he had the ability to connect whenever he wanted and see whatever I was doing. Let's just say, there was a project I was working on that wouldve been a good idea for him to keep tabs on – Erik Lipkin Mar 01 '12 at 01:55