VPN Hacked?

Layout from the: Question Templates - Ensure a quick/accurate response to your query
( http://antionline.com/showthread.php?t=260076 )

What Operating System are you running:
Windows 2000 Pro SP4
Do you have all critical Updates installed?
I think there are 7 or so new patches that affect some RTF functionality that I don't have..
If you answered No to last question what was last update you installed?
Patched up to end of December 2006
Do you have an anti virus program?
Yes
If yes what program is it?
AVG/Free
Also do you keep it updated with latest definitions?
Daily
Do you have a firewall?
No / Behind a router with a F.W.
If yes what type?
Router (all inbound ports blocked)
Do you have any spy/adware checking programs?
Yup
If yes what ones?
Adaware
Have you scanned your PC with an http://housecall.trendmicro.com/online virus scanner
NOT YET (at work at the moment will do when I am home)
If yes what were the reults?
See above
How do you connect to the internet? (dial-up, adsl etc)
Cable Modem
Are you on a LAN?
Yes
If yes what type is it (Home/Business – Wireless etc)
Home wired (has wireless enabled on same router though with WPA / AES)
What makes you think you are being hacked?
Paranoid, Connected up to secureix no-firewalled VPN server for 4 hours. So would have had no firewall inline.
How long has this being going on?
just over a week.
Any other comments?
I have ultravnc 1.0.2 installed and listening.

Is it likely somebody could have been looking at files on my system? I keep some (potentially) sensitive data on my computer and do not want that to have been stolen!!

I connected again to this service to do a port scan from auditmypc and grc and the results said that ports 1723 and 5900 where open, ports 22,135-140,445 where all stealth and the rest where closed.

I am really paranoid about this and am eager to know if it is a common for evil people stealing data in this type of scenario.

Sorry if my understanding of all of this is not too good!

Any help would be great, thanks.

If you are that paranoid then you should use Windows Remote Desktop instead of ultravnc and just keep port 3389 open and firewall the rest.

Also I assume that you realize that secureix has access to anything that you are sending/receiving...Is there some reason that you are trusting them with this data (as opposed to your ISP?)

I'll go along with marsbarz: Why use secureix?

If it is to locate your workstation, then you can use a dynamic dns service.

Depending on your router, you could use the vpn that it provides. Or, if you have spare hardware, create your own router/firewall/vpn server and connect securely that way.

I use a vpn client to connect to my home network (cisco) and then use remote desktop from there. I am also listening on a nonstandard port (not 3389) and only allow connections to the vpn from certain netblocks.

You don't have to use a VPN, I just prefer to.

From there, you can secure your remote desktop further by disallowing remote desktop to admins, setting lockout a policy on your remote desktop users/group and forcing encryption. It would also help to log the connections and audit logon/log off.

http://www.mobydisk.com/techres/secu...e_desktop.html

As for securing personal info... use truecrypt disk encryption.
http://www.truecrypt.org/

I understand that they could 'see' anything I was sending via the vpn connection, I don't use it to become anonymous or anything like that, I use it because they have an NNTP server you can access when connected. Thats all. I dont visit any web pages or use any p2p software.

What I am really asking is:
1) I used some online port scanners and downloaded nmap and scanned my computer from another place and the only ports open where: 1723/tcp and 5900/tcp. Are there any exploits that somebody could have used on these services?

2) Is it likely that somebody would 'hack' my computer, then snoop around at my files? (I don't mean target me specifically)

3) Is there any way I could know this? Would the 'last accessed' time be changed? (I have a good idea of when I last accessed my files)

Sorry for sounding dim, I am totally new to this and trying to learn quickly!

well, my experience of windows is that the "last accessed" time is always right now because looking at the last accessed time counts as an access and thus resets it. :rolleyes:

Off the top of my head, those are normal ports to have open. Most likely I would expect a random attack from a skiddie who would generally want to cause chaos and eject your CD drive & cause chaos rather than stealthily look through all your documents then leave.

Easiest way to spot someone snooping your files is more along the lines of unexpected intense disk access or network access. Checking every document for its last access date is a toughie.

I wouldn't be worried about having those two ports open. You're up to date with ultra vnc and there are no "known" vulnerabilities.

Port 5900 (and 5800 for java) is a commonly scanned port, so I may just change the default port to something more obscure just to stay out of immediate sight of the skiddies running bots/scripts/port scanners.

You could also use a more advanced firewall (I prefer hardware firewall) and only allow connections from certain IPs or subnets. I know the main networks and netblocks I connect from, so I only allow connections to certain ports from those addresses.

Many host based firewalls also give you the ability to log connections to and from your computer. The log size is generally pretty small, so I always increase the log size or turn on rotation/compression for archvial purposes.

You could also try to "hide" your services by running them on a nonstandard port. I like to do this whenever possible for my personal private services.

nmap is probably the most used tcp/ip scanner out there. by default, nmap does not scan ports 9100-9107 because they are used by HP Jet Direct network cards. Any data sent to those ports will print on the printer. There were a lot of people complaining that while using nmap to scan their network, jet direct network enabled printers would print junk.

That being said... I'd might run a service on one of those ports to evade service detection by nmap. nmap will scan those ports only if instructed to.

You can check for recent vulnerabilities in your services/applications @ http://www.securityfocus.com/vulnerabilities

When you use VNC, are you using encryption? http://www.uvnc.com/features/encryption.html

It is not very likely that someone would hack your residential computer to look for documents. I'd imagine most skiddies out there are more interested in adding you to their botnet or using your computer as a jumping point to hack other workstations. The more professional hackers are going after larger targets? Even so, it is a good idea to encrypt your private data or keep it offline on a flash drive or external hard drive that you can connect when you need it (still encrypted). That truecrypt I linked you to before is great for this.

Now, maybe if you have a reason for someone to hack you... then maybe. Are you a high profile public official? Exec of a large company? Etc.? Do you have any enemies? etc.

You can search for files by "access date" but even if you view them with windows explorer (not even open them) then they'll have been "accessed". You might want to look for modified date? If someone accesses your PC, they'll probably want to retain access to your PC. So, you should be looking for created or modified files. It is possible for them to access your system without leaving a visable trace using rootkits too...

There is a lot you can do on your system in terms of auditing to see who is doing what and when. You just have to define it in your audit policy.

Go to start, run and type "gpedit.msc".

That is your local computer policy. You can turn on auditing of logon/log off, object access, etc all in there.

Local Computer Policy\ Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy

Those events will be logged in your security log. (event viewer) This log will fill pretty quickly so it would be smart to increase the default log size.

Be careful with everything else though... it is easy to render a computer unusable by playing too much. Just like with your registry, make sure you know what you're doing.

When I was first learning, I thought it'd be cool to use the NSA security templates... They secured my PC SO much that I was unable to use the damn thing for anything useful.
http://csrc.nist.gov/itsec/guidance_WinXP.html

Read up on and learn about gpedit.msc which controls your local computer policy along with your local security policy. It'd probably be best to learn about security templates too.

well thanks everybody for your input, All of it was very helpful to me, I am trying to learn as much as I can and quickly too.

phishphreek thanks for your last post, That really helped me.

I am just a regular person, not a VIP or anything like that!
I only used this service that once (secureix) and only for 4 hours. I dont normally connect that computer to internet services anyway. I have installed a software firewall on it now. But I have blocked VNC from everywhere except one of my LAN computers.

I decided to setup another computer in exactly the same way (same patches, software etc..) and connect it to the VPN connection as before.
I have downloaded nmap and put it on another computer with a different internet connection and got this:

Code:

---

nmap -sV <HOST IP>
Interesting ports on <HOST IP>:
Not shown: 1669 closed ports
PORT      STATE    SERVICE          VERSION
22/tcp    filtered ssh
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1720/tcp  filtered H.323/Q.931
1723/tcp  open    pptp?
5900/tcp  open    vnc              VNC (protocol 3.6)
10000/tcp filtered snet-sensor-mgmt

---

Why would I have port 1723 open when I am just a vpn client not a server? I thought open ports where for servers/services?

Code:

---

nmap -sU <HOST IP>
Not shown: 1485 open|filtered ports
PORT    STATE  SERVICE
53/udp  closed domain
123/udp closed ntp

---

I downloaded wireshark and dumped all of the traffic for 8 hours too.

I spent the whole day learning how to use wireshark (I am sure I have only just brushed the surface though!) and how to understand the packets listed.

It mostly got lots of connection attempts (40% of the data captured) to TCP port 34703, the system responded with a [RST, ACK] which I think means the port is closed and has no service listening there. along with this there was around another 40% UDP connections to port 34703 that had the words info_hash and get_peers. After some reading on that It appears to be some sort of bittorent traffic, I have never used any p2p software of any kind though, They get response from my system of ICMP Destination unreachable (Port unreachable) which I learned was how a closed UDP port should respond.

Is it common to see this sort of traffic? Could this be becuase the person that previously had this IP address was using bittorent?

I saw around 6 attempts to connect to the VNC server which wireshark decodes very nicely. 5 of these look like regular VNC transaction but with a failed login. But one was strange, after more research it appears to a RealVNC 4.1.1 exploit if found out about here: http://www.milw0rm.com/related.php?program=RealVNC

I am not sure any of that is of any interest to any of you though?? Just thought I would share with you what I had done.

I dont want to appear helpless, I am very willing to learn. I just needed a little help getting started.

If the person before you had been using bittorrent, then the trackers will still be referring peers to you. This use to cause me problems in the past when playing online games on my adsl line. My upstream bandwith was being used up by peers trying to connect to torrents I was no longer seeding. Or, in some cases, the person who had the IP before me was seeding.

I could simply bring down my wan interface for a couple of seconds, bring it back up and I was able to get a new ip. I could have simply blocked those ports (most often 6881-6889) but I had my client at the time setup to use those ports. I've since changed them to avoid this problem.

The connection attempts are more than likely bots scanning and trying common passwords. The exploit that was thrown at you was either some kiddie who had been scanning for port 5900 or some other automated bot. The objective for a lot of them are to take over as many workstations as possible and add them to their botnets. It is big business. These "hackers" can lease out the botnets to organized crime to use to extort ecommerce sites (threaten DDoS attacks, etc.) or spammers to use.

What VPN client are you using? I have not tried to port scan my workstation when using a VPN client. I know that some VPN clients also have a firewall built in that would prevent nmap's reporting of those ports. Checkpoint's secure remote is a good example. Cisco also has one, but the name escapes me at the moment.

When the VPN is connected, it has to open that port. Otherwise, it wouldn't know how to communicate. It creates a tunnel. Read up on it here:
http://www.microsoft.com/technet/com...uy/cg0103.mspx

Other services do this too, but don't always use the same source port and destination ports. Look at netstat -an the next time you open a web page. (right now) You'll see all the ports that are "open" at the time. If you are using a firewall, it is more than likely a stateful firewall and dynamically allowing those ports inbound (NAT) to your workstation otherwise, you would not be able to communicate with the server.

Well thanks again for that information, Some good reading.

I used (I want to point out again that I only connected to this services once and for 4 hours only) the built in microsoft VPN connection thing that is in 'network connections' I am not sure that stores any logs? I would like to know about it if it did!.

I am still paranoid about the whole thing though, but that isnt based on anything logical.