Unexpected remote desktop connection.

Jordon Bedwell jordon at envygeeks.com
Fri Jun 24 18:41:51 UTC 2011 

On 6/24/2011 12:48 PM, Jim Byrnes wrote:
> I was working on my laptop today trying to customize Natty to my liking. 

> I added a couple of ppa's for indicator applets and installed the 
> applets.  I then let the machine set for a while.  When I looked at it 
> again I saw a monitor icon on the top panel.  When I clicked on it I was 
> informed that ip 211.247.13.53 was remotely accessing my desktop.

What is the remote app? Since you were customising we cannot assume.

> I immediately severed the connection.  Checking the remote desktop 
> settings I saw the sharing checkbox was checked but the allow remote 
> desktop control was unchecked.  I don't know if sharing is checked by 
> default or if I checked it to experiment.

By severed I hope you meant pulled the internet wire until you installed
GUFW from the deb you pull from a secure system since it seems kinda
obvious you did not set any firewall rules for your computer.

> whois results: query: 211.247.13.53
> So is it possible I've been hacked? If so what is my best course of action?

People use the word hacked to liberally now days.  Yes it's true you
could have possibly been compromised but at this point lets not assume
until we get an application name and until we can test it.

> There's really not much of value on it. I use it infrequently mostly to 
> experiment with Natty.  Firefox has a few passwords stored, but nothing 
> really critical. However it was connected to my home network by wire at 
> the time.

Value should be infinite, no matter the data.  Treating data as
invaluable, no matter the kind, is the kind of thinking that leads to a
severe compromise on a truly important system.  You need to treat all
systems with the utmost importance no matter the personal value.

----

My suggestion is you also pull the system down and do a complete
integrity check of all system files.  You can do that by using a known
secure system to download all the packages from a dpkg supplied list and
then using debsums to validate them against the debs.

If you've adjusted configuration files, when it prompts they've changed
copy them to a list and manually verify their integrity against your
known changes.

More information about the ubuntu-users mailing list