Unexpected remote desktop connection.

Fri Jun 24 19:17:25 UTC 2011

On 06/24/2011 01:41 PM, Jordon Bedwell wrote:
> On 6/24/2011 12:48 PM, Jim Byrnes wrote:
>> I was working on my laptop today trying to customize Natty to my liking.
>
>> I added a couple of ppa's for indicator applets and installed the
>> applets.  I then let the machine set for a while.  When I looked at it
>> again I saw a monitor icon on the top panel.  When I clicked on it I was
>> informed that ip 211.247.13.53 was remotely accessing my desktop.
>
> What is the remote app? Since you were customising we cannot assume.

When I said a couple of ppa's I was wrong it was just one. 
LP-PPA-tsbarnes-indicator-keylock/natty.  The other was the 
weather-indicator but it came from the Ubuntu Software Center
>
>> I immediately severed the connection.  Checking the remote desktop
>> settings I saw the sharing checkbox was checked but the allow remote
>> desktop control was unchecked.  I don't know if sharing is checked by
>> default or if I checked it to experiment.
>
> By severed I hope you meant pulled the internet wire until you installed
> GUFW from the deb you pull from a secure system since it seems kinda
> obvious you did not set any firewall rules for your computer.

No, I disabled sharing.  I have always depended on my Linksys routers 
firewall. I haven't looked at the routers settings for awhile, but I 
will now.

>> whois results: query: 211.247.13.53
>> So is it possible I've been hacked? If so what is my best course of action?
>
> People use the word hacked to liberally now days.  Yes it's true you
> could have possibly been compromised but at this point lets not assume
> until we get an application name and until we can test it.

Better choice of words.

>> There's really not much of value on it. I use it infrequently mostly to
>> experiment with Natty.  Firefox has a few passwords stored, but nothing
>> really critical. However it was connected to my home network by wire at
>> the time.
>
> Value should be infinite, no matter the data.  Treating data as
> invaluable, no matter the kind, is the kind of thinking that leads to a
> severe compromise on a truly important system.  You need to treat all
> systems with the utmost importance no matter the personal value.
>
>

Again maybe a poor choice of words. I was trying to convey the thought 
that there was nothing on it that was irreplaceable or would cause much 
harm if exposed.

> My suggestion is you also pull the system down and do a complete
> integrity check of all system files.  You can do that by using a known
> secure system to download all the packages from a dpkg supplied list and
> then using debsums to validate them against the debs.
>
> If you've adjusted configuration files, when it prompts they've changed
> copy them to a list and manually verify their integrity against your
> known changes.

Are you saying just the laptop or do you mean the other machine that was 
turned on at the time?

Regards,  Jim