[GLLUG] Uh Oh. Help?

[STeve Andre']

It's important to understand that people get scanned by "script
kiddies" all the time, on public networks.  ALL THE TIME.  My
boss had something like Zone Alarm on his Windows machine
and was equally fascinated and horrified at the number of
things his machine was exposed to.

The few times I've looked at my own Comcast connection I
saw at least 5 an hour, and sometimes some little twerp
would develop an inordinate fondness for me, and bombard
me with useless logins, malformed http GETS and so on.

While its not good to let your guard down, log file entries
quickly start looking like noise, which 99.8%+, they are.

--STeve Andre'

On 03/01/12 17:38, Karl Schuttler wrote:
> Port 5900 is vnc (remote access, as you noticed). The 70.x.x.x ip you
> mentioned is registered to THEPLANET.COM INTERNET SERVICES in Dallas,
> TX. Feel free to send me the log and i'll take a look. You might
> consider reaching out to ThePlanet.com and asking them about the
> incident; they might have a security breach. I would call them over
> the phone, but you could certainly email.  The 140.x.x.x address
> belongs to National Chung Cheng University in Taiwan.
>
> It would seem that they shouldn't be able to access her computer, from
> your description of the network setup; perhaps it isnt functioning as
> you intended.
>
>
> On Thu, Mar 1, 2012 at 5:16 PM, J Neveau<neveauj at gmail.com>  wrote:
>> Could someone in the group with network guru skills help me out?  I was
>> perusing my Mom's router log today and saw something that concerned me.
>>
>> The log shows:
>>
>> [LAN access from remote] from 70.86.214.138:48659 to 192.168.1.3:5900
>> Thursday, Mar 01,2012 08:06:39
>>
>> and
>>
>> [LAN access from remote] from 140.123.103.148:45214 to 192.168.1.3:5900
>> Wednesday, Feb 29,2012 6:31:46
>>
>> Both of those lines show up a number of times over the past couple weeks.
>>
>> I'm concerned, as my Mom is 80 years old and (hopefully) didn't download
>> anything malicious that is allowing port 5900 to be used on her OS.  She is
>> using Linux Mint and I've been keeping it up to date on updates through it's
>> synaptic application. (version 10.something if I recall correctly)
>>
>> I have a PDF file of the entire log if anyone would be kind enough to look
>> at it.
>>
>> I had her router set up for remote management so that I could log in to deal
>> with issues.  I had it assigned to a selected port number for admin of the
>> router.  I also had the DHCP reserve that IP address to her machine so I
>> could remote admin her operating system if she had any issues; it was port
>> forwarded to a selected port (different than the router log-in; NOT port
>> 5900) for that purpose as well.
>>
>> For the time being, I've disabled the remote log-in function until I can get
>> this surveyed by those more knowledgeable.  I will have physical access to
>> her machine for the next week, so if any additional diagnoses is needed,
>> I'll be happy to forward that information to the group.
>>
>> Any help is greatly appreciated!
>>
>> J.Neveau
>>