[GLLUG] Uh Oh. Help?

[Richard Houser]

J,

As long as the connection isn't established and the attempts aren't
enough to cause a DOS effect, you shouldn't be concerned.

Many home routers will just let you brute force password attempts
until you get it.  Those that implement meager IP-based blackout
periods are still vulnerable to anyone with access to many IPs.  I
recommend you keep the remote access disabled on the router unless you
can restrict the access using a strong key.  For example, I run
OpenWRT and just disable password logins to dropbear.



On Thu, Mar 1, 2012 at 11:47 PM, STeve Andre' <andres at msu.edu> wrote:
> It's important to understand that people get scanned by "script
> kiddies" all the time, on public networks.  ALL THE TIME.  My
> boss had something like Zone Alarm on his Windows machine
> and was equally fascinated and horrified at the number of
> things his machine was exposed to.
>
> The few times I've looked at my own Comcast connection I
> saw at least 5 an hour, and sometimes some little twerp
> would develop an inordinate fondness for me, and bombard
> me with useless logins, malformed http GETS and so on.
>
> While its not good to let your guard down, log file entries
> quickly start looking like noise, which 99.8%+, they are.
>
> --STeve Andre'
>
>
> On 03/01/12 17:38, Karl Schuttler wrote:
>>
>> Port 5900 is vnc (remote access, as you noticed). The 70.x.x.x ip you
>> mentioned is registered to THEPLANET.COM INTERNET SERVICES in Dallas,
>> TX. Feel free to send me the log and i'll take a look. You might
>> consider reaching out to ThePlanet.com and asking them about the
>> incident; they might have a security breach. I would call them over
>> the phone, but you could certainly email.  The 140.x.x.x address
>> belongs to National Chung Cheng University in Taiwan.
>>
>> It would seem that they shouldn't be able to access her computer, from
>> your description of the network setup; perhaps it isnt functioning as
>> you intended.
>>
>>
>> On Thu, Mar 1, 2012 at 5:16 PM, J Neveau<neveauj at gmail.com>  wrote:
>>>
>>> Could someone in the group with network guru skills help me out?  I was
>>> perusing my Mom's router log today and saw something that concerned me.
>>>
>>> The log shows:
>>>
>>> [LAN access from remote] from 70.86.214.138:48659 to 192.168.1.3:5900
>>> Thursday, Mar 01,2012 08:06:39
>>>
>>> and
>>>
>>> [LAN access from remote] from 140.123.103.148:45214 to 192.168.1.3:5900
>>> Wednesday, Feb 29,2012 6:31:46
>>>
>>> Both of those lines show up a number of times over the past couple weeks.
>>>
>>> I'm concerned, as my Mom is 80 years old and (hopefully) didn't download
>>> anything malicious that is allowing port 5900 to be used on her OS.  She
>>> is
>>> using Linux Mint and I've been keeping it up to date on updates through
>>> it's
>>> synaptic application. (version 10.something if I recall correctly)
>>>
>>> I have a PDF file of the entire log if anyone would be kind enough to
>>> look
>>> at it.
>>>
>>> I had her router set up for remote management so that I could log in to
>>> deal
>>> with issues.  I had it assigned to a selected port number for admin of
>>> the
>>> router.  I also had the DHCP reserve that IP address to her machine so I
>>> could remote admin her operating system if she had any issues; it was
>>> port
>>> forwarded to a selected port (different than the router log-in; NOT port
>>> 5900) for that purpose as well.
>>>
>>> For the time being, I've disabled the remote log-in function until I can
>>> get
>>> this surveyed by those more knowledgeable.  I will have physical access
>>> to
>>> her machine for the next week, so if any additional diagnoses is needed,
>>> I'll be happy to forward that information to the group.
>>>
>>> Any help is greatly appreciated!
>>>
>>> J.Neveau
>>>
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user