4

I recently let a hacker (who I met once and don't know too well) connect to my computer through (I guess it was remote access)- I had to fill in my IP on a third party website and click a button and he had full access to my desktop and used my command terminal in Ubuntu 11.04 to do a series of installations (that I needed help with) and then disconnected.

Shortly after, I started experiencing random things- solitaire games randomly being opened when I return after leaving it unattended and some other odd things.

The icing on the cake was this:

When I typed the 'who' command in the terminal, here's what I got:

*'myusername' tty7 2007-04-26 00:14 (:0)

*'myusername' pts/0 2011-11-11 21:45 (:0)

So my concern is that I didn't even own this laptop at that date, yet alone have Ubuntu dual booted on my system.

Think I'm being hacked? or is that just the date of the origin of Natty desktop environment?

Who knows. I might be paranoid.

Erik Lipkin
  • 59

2 Answers2

9

If you think you are being hacked, there are several quick things you can do to stop remote access:

  1. Run vino-preferences and see if it is activated. If it is, uncheck all options and if you need it then change the password.

  2. Change your user password. That would make it tough to access via ssh with that user.

  3. Verify that there is no other user account. From terminal you can do something like this: cat /etc/passwd|grep '/bin/bash' but there are other GUI and terminal ways.

  4. Disable the SSH server if you happen to have it install. Type sudo apt-get purge openssh-server. If you don't have nothing will happen. If you do have it, it will ask you for removal.

Up to now you have just blocked the VNC and SSH services from being accessed remotely.

Now check if you have some script running when the PC starts. For example something that is being send to somebody outside. This implies having to check a lot of places. For example:

  • Check all /etc/rc* folders. For example /etc/rc0.d, /etc/rc1.d....
  • Check /etc/init.d from a weird service that is not supposed to be there.
  • Check that cron is not running something. Example: crontab -e will show what cron runs for your user.
  • Check that ufw is enabled and does not have some port forward. Also check iptables for this. If a port is forward it might look like he is trying to have direct access to the PC.
  • Any other place that might be used for automatic running something.

There are many other ways but this are the quick and basic.

Luis Alvarado
  • 216,643
5

192.168.1.1 is the IP address of your router, it's not a third party website. What you have done is opened up either SSH, or VNC, access to your machine by forwarding that port out. If you repeat the steps but instead of entering the values remove the values you should be able to severe access. It's odd that it would show a user logged in from 2007, after removing the port forward restart your machine to log any connected sessions off.

Marco Ceppi
  • 48,827