[GLLUG] Uh Oh. Help?
Karl Schuttler
karl.schuttler at gmail.com
Thu Mar 1 17:38:31 EST 2012
Port 5900 is vnc (remote access, as you noticed). The 70.x.x.x ip you
mentioned is registered to THEPLANET.COM INTERNET SERVICES in Dallas,
TX. Feel free to send me the log and i'll take a look. You might
consider reaching out to ThePlanet.com and asking them about the
incident; they might have a security breach. I would call them over
the phone, but you could certainly email. The 140.x.x.x address
belongs to National Chung Cheng University in Taiwan.
It would seem that they shouldn't be able to access her computer, from
your description of the network setup; perhaps it isnt functioning as
you intended.
On Thu, Mar 1, 2012 at 5:16 PM, J Neveau <neveauj at gmail.com> wrote:
> Could someone in the group with network guru skills help me out? I was
> perusing my Mom's router log today and saw something that concerned me.
>
> The log shows:
>
> [LAN access from remote] from 70.86.214.138:48659 to 192.168.1.3:5900
> Thursday, Mar 01,2012 08:06:39
>
> and
>
> [LAN access from remote] from 140.123.103.148:45214 to 192.168.1.3:5900
> Wednesday, Feb 29,2012 6:31:46
>
> Both of those lines show up a number of times over the past couple weeks.
>
> I'm concerned, as my Mom is 80 years old and (hopefully) didn't download
> anything malicious that is allowing port 5900 to be used on her OS. She is
> using Linux Mint and I've been keeping it up to date on updates through it's
> synaptic application. (version 10.something if I recall correctly)
>
> I have a PDF file of the entire log if anyone would be kind enough to look
> at it.
>
> I had her router set up for remote management so that I could log in to deal
> with issues. I had it assigned to a selected port number for admin of the
> router. I also had the DHCP reserve that IP address to her machine so I
> could remote admin her operating system if she had any issues; it was port
> forwarded to a selected port (different than the router log-in; NOT port
> 5900) for that purpose as well.
>
> For the time being, I've disabled the remote log-in function until I can get
> this surveyed by those more knowledgeable. I will have physical access to
> her machine for the next week, so if any additional diagnoses is needed,
> I'll be happy to forward that information to the group.
>
> Any help is greatly appreciated!
>
> J.Neveau
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>
More information about the linux-user
mailing list