Results 1 to 9 of 9

Thread: VPN Hacked?

  1. #1
    Junior Member
    Join Date
    Mar 2007

    VPN Hacked?

    Layout from the: Question Templates - Ensure a quick/accurate response to your query
    ( http://antionline.com/showthread.php?t=260076 )

    What Operating System are you running:
    Windows 2000 Pro SP4
    Do you have all critical Updates installed?
    I think there are 7 or so new patches that affect some RTF functionality that I don't have..
    If you answered No to last question what was last update you installed?
    Patched up to end of December 2006
    Do you have an anti virus program?
    If yes what program is it?
    Also do you keep it updated with latest definitions?
    Do you have a firewall?
    No / Behind a router with a F.W.
    If yes what type?
    Router (all inbound ports blocked)
    Do you have any spy/adware checking programs?
    If yes what ones?
    Have you scanned your PC with an http://housecall.trendmicro.com/online virus scanner
    NOT YET (at work at the moment will do when I am home)
    If yes what were the reults?
    See above
    How do you connect to the internet? (dial-up, adsl etc)
    Cable Modem
    Are you on a LAN?
    If yes what type is it (Home/Business – Wireless etc)
    Home wired (has wireless enabled on same router though with WPA / AES)
    What makes you think you are being hacked?
    Paranoid, Connected up to secureix no-firewalled VPN server for 4 hours. So would have had no firewall inline.
    How long has this being going on?
    just over a week.
    Any other comments?
    I have ultravnc 1.0.2 installed and listening.

    Is it likely somebody could have been looking at files on my system? I keep some (potentially) sensitive data on my computer and do not want that to have been stolen!!

    I connected again to this service to do a port scan from auditmypc and grc and the results said that ports 1723 and 5900 where open, ports 22,135-140,445 where all stealth and the rest where closed.

    I am really paranoid about this and am eager to know if it is a common for evil people stealing data in this type of scenario.

    Sorry if my understanding of all of this is not too good!

    Any help would be great, thanks.

  2. #2
    Junior Member
    Join Date
    Mar 2007

    If you are so paranoid...

    If you are that paranoid then you should use Windows Remote Desktop instead of ultravnc and just keep port 3389 open and firewall the rest.

    Also I assume that you realize that secureix has access to anything that you are sending/receiving...Is there some reason that you are trusting them with this data (as opposed to your ISP?)

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    I'll go along with marsbarz: Why use secureix?

    If it is to locate your workstation, then you can use a dynamic dns service.

    Depending on your router, you could use the vpn that it provides. Or, if you have spare hardware, create your own router/firewall/vpn server and connect securely that way.

    I use a vpn client to connect to my home network (cisco) and then use remote desktop from there. I am also listening on a nonstandard port (not 3389) and only allow connections to the vpn from certain netblocks.

    You don't have to use a VPN, I just prefer to.

    From there, you can secure your remote desktop further by disallowing remote desktop to admins, setting lockout a policy on your remote desktop users/group and forcing encryption. It would also help to log the connections and audit logon/log off.


    As for securing personal info... use truecrypt disk encryption.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Junior Member
    Join Date
    Mar 2007
    I understand that they could 'see' anything I was sending via the vpn connection, I don't use it to become anonymous or anything like that, I use it because they have an NNTP server you can access when connected. Thats all. I dont visit any web pages or use any p2p software.

    What I am really asking is:
    1) I used some online port scanners and downloaded nmap and scanned my computer from another place and the only ports open where: 1723/tcp and 5900/tcp. Are there any exploits that somebody could have used on these services?

    2) Is it likely that somebody would 'hack' my computer, then snoop around at my files? (I don't mean target me specifically)

    3) Is there any way I could know this? Would the 'last accessed' time be changed? (I have a good idea of when I last accessed my files)

    Sorry for sounding dim, I am totally new to this and trying to learn quickly!

  5. #5
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    St Annes (aaaa!)
    well, my experience of windows is that the "last accessed" time is always right now because looking at the last accessed time counts as an access and thus resets it.

    Off the top of my head, those are normal ports to have open. Most likely I would expect a random attack from a skiddie who would generally want to cause chaos and eject your CD drive & cause chaos rather than stealthily look through all your documents then leave.

    Easiest way to spot someone snooping your files is more along the lines of unexpected intense disk access or network access. Checking every document for its last access date is a toughie.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    I wouldn't be worried about having those two ports open. You're up to date with ultra vnc and there are no "known" vulnerabilities.

    Port 5900 (and 5800 for java) is a commonly scanned port, so I may just change the default port to something more obscure just to stay out of immediate sight of the skiddies running bots/scripts/port scanners.

    You could also use a more advanced firewall (I prefer hardware firewall) and only allow connections from certain IPs or subnets. I know the main networks and netblocks I connect from, so I only allow connections to certain ports from those addresses.

    Many host based firewalls also give you the ability to log connections to and from your computer. The log size is generally pretty small, so I always increase the log size or turn on rotation/compression for archvial purposes.

    You could also try to "hide" your services by running them on a nonstandard port. I like to do this whenever possible for my personal private services.

    nmap is probably the most used tcp/ip scanner out there. by default, nmap does not scan ports 9100-9107 because they are used by HP Jet Direct network cards. Any data sent to those ports will print on the printer. There were a lot of people complaining that while using nmap to scan their network, jet direct network enabled printers would print junk.

    That being said... I'd might run a service on one of those ports to evade service detection by nmap. nmap will scan those ports only if instructed to.

    You can check for recent vulnerabilities in your services/applications @ http://www.securityfocus.com/vulnerabilities

    When you use VNC, are you using encryption? http://www.uvnc.com/features/encryption.html

    It is not very likely that someone would hack your residential computer to look for documents. I'd imagine most skiddies out there are more interested in adding you to their botnet or using your computer as a jumping point to hack other workstations. The more professional hackers are going after larger targets? Even so, it is a good idea to encrypt your private data or keep it offline on a flash drive or external hard drive that you can connect when you need it (still encrypted). That truecrypt I linked you to before is great for this.

    Now, maybe if you have a reason for someone to hack you... then maybe. Are you a high profile public official? Exec of a large company? Etc.? Do you have any enemies? etc.

    You can search for files by "access date" but even if you view them with windows explorer (not even open them) then they'll have been "accessed". You might want to look for modified date? If someone accesses your PC, they'll probably want to retain access to your PC. So, you should be looking for created or modified files. It is possible for them to access your system without leaving a visable trace using rootkits too...

    There is a lot you can do on your system in terms of auditing to see who is doing what and when. You just have to define it in your audit policy.

    Go to start, run and type "gpedit.msc".

    That is your local computer policy. You can turn on auditing of logon/log off, object access, etc all in there.

    Local Computer Policy\ Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy

    Those events will be logged in your security log. (event viewer) This log will fill pretty quickly so it would be smart to increase the default log size.

    Be careful with everything else though... it is easy to render a computer unusable by playing too much. Just like with your registry, make sure you know what you're doing.

    When I was first learning, I thought it'd be cool to use the NSA security templates... They secured my PC SO much that I was unable to use the damn thing for anything useful.

    Read up on and learn about gpedit.msc which controls your local computer policy along with your local security policy. It'd probably be best to learn about security templates too.
    Last edited by phishphreek; March 15th, 2007 at 06:48 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Junior Member
    Join Date
    Mar 2007
    well thanks everybody for your input, All of it was very helpful to me, I am trying to learn as much as I can and quickly too.

    phishphreek thanks for your last post, That really helped me.

    I am just a regular person, not a VIP or anything like that!
    I only used this service that once (secureix) and only for 4 hours. I dont normally connect that computer to internet services anyway. I have installed a software firewall on it now. But I have blocked VNC from everywhere except one of my LAN computers.

    I decided to setup another computer in exactly the same way (same patches, software etc..) and connect it to the VPN connection as before.
    I have downloaded nmap and put it on another computer with a different internet connection and got this:

    nmap -sV <HOST IP>
    Interesting ports on <HOST IP>:
    Not shown: 1669 closed ports
    PORT      STATE    SERVICE          VERSION
    22/tcp    filtered ssh
    135/tcp   filtered msrpc
    136/tcp   filtered profile
    137/tcp   filtered netbios-ns
    138/tcp   filtered netbios-dgm
    139/tcp   filtered netbios-ssn
    445/tcp   filtered microsoft-ds
    1720/tcp  filtered H.323/Q.931
    1723/tcp  open     pptp?
    5900/tcp  open     vnc              VNC (protocol 3.6)
    10000/tcp filtered snet-sensor-mgmt
    Why would I have port 1723 open when I am just a vpn client not a server? I thought open ports where for servers/services?

    nmap -sU <HOST IP>
    Not shown: 1485 open|filtered ports
    53/udp  closed domain
    123/udp closed ntp
    I downloaded wireshark and dumped all of the traffic for 8 hours too.

    I spent the whole day learning how to use wireshark (I am sure I have only just brushed the surface though!) and how to understand the packets listed.

    It mostly got lots of connection attempts (40% of the data captured) to TCP port 34703, the system responded with a [RST, ACK] which I think means the port is closed and has no service listening there. along with this there was around another 40% UDP connections to port 34703 that had the words info_hash and get_peers. After some reading on that It appears to be some sort of bittorent traffic, I have never used any p2p software of any kind though, They get response from my system of ICMP Destination unreachable (Port unreachable) which I learned was how a closed UDP port should respond.

    Is it common to see this sort of traffic? Could this be becuase the person that previously had this IP address was using bittorent?

    I saw around 6 attempts to connect to the VNC server which wireshark decodes very nicely. 5 of these look like regular VNC transaction but with a failed login. But one was strange, after more research it appears to a RealVNC 4.1.1 exploit if found out about here: http://www.milw0rm.com/related.php?program=RealVNC

    I am not sure any of that is of any interest to any of you though?? Just thought I would share with you what I had done.

    I dont want to appear helpless, I am very willing to learn. I just needed a little help getting started.
    Last edited by finchxm; March 15th, 2007 at 10:03 PM.

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    If the person before you had been using bittorrent, then the trackers will still be referring peers to you. This use to cause me problems in the past when playing online games on my adsl line. My upstream bandwith was being used up by peers trying to connect to torrents I was no longer seeding. Or, in some cases, the person who had the IP before me was seeding.

    I could simply bring down my wan interface for a couple of seconds, bring it back up and I was able to get a new ip. I could have simply blocked those ports (most often 6881-6889) but I had my client at the time setup to use those ports. I've since changed them to avoid this problem.

    The connection attempts are more than likely bots scanning and trying common passwords. The exploit that was thrown at you was either some kiddie who had been scanning for port 5900 or some other automated bot. The objective for a lot of them are to take over as many workstations as possible and add them to their botnets. It is big business. These "hackers" can lease out the botnets to organized crime to use to extort ecommerce sites (threaten DDoS attacks, etc.) or spammers to use.

    What VPN client are you using? I have not tried to port scan my workstation when using a VPN client. I know that some VPN clients also have a firewall built in that would prevent nmap's reporting of those ports. Checkpoint's secure remote is a good example. Cisco also has one, but the name escapes me at the moment.

    When the VPN is connected, it has to open that port. Otherwise, it wouldn't know how to communicate. It creates a tunnel. Read up on it here:

    Other services do this too, but don't always use the same source port and destination ports. Look at netstat -an the next time you open a web page. (right now) You'll see all the ports that are "open" at the time. If you are using a firewall, it is more than likely a stateful firewall and dynamically allowing those ports inbound (NAT) to your workstation otherwise, you would not be able to communicate with the server.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Junior Member
    Join Date
    Mar 2007
    Well thanks again for that information, Some good reading.

    I used (I want to point out again that I only connected to this services once and for 4 hours only) the built in microsoft VPN connection thing that is in 'network connections' I am not sure that stores any logs? I would like to know about it if it did!.

    I am still paranoid about the whole thing though, but that isnt based on anything logical.

Similar Threads

  1. We keep getting hacked into......
    By FishTaco in forum Newbie Security Questions
    Replies: 25
    Last Post: March 7th, 2004, 06:14 PM
  2. Window Forensics: Have I been hacked?
    By Grinler in forum The Security Tutorials Forum
    Replies: 13
    Last Post: August 9th, 2003, 02:49 AM
  3. Help! I Think I've Been Hacked!!
    By tonybradley in forum The Security Tutorials Forum
    Replies: 4
    Last Post: June 18th, 2003, 03:54 PM
  4. Madonna hacked?
    By phishphreek in forum Web Security
    Replies: 10
    Last Post: May 3rd, 2003, 06:29 AM
  5. 95+ Percent of Systems can be Hacked
    By THE RADICAL in forum AntiOnline's General Chit Chat
    Replies: 6
    Last Post: July 29th, 2002, 06:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts