Ubuntu – Am I being hacked

remote accessSecuritytty

I recently let a hacker (who I met once and don't know too well) connect to my computer through (I guess it was remote access)- I had to fill in my IP on a third party website and click a button and he had full access to my desktop and used my command terminal in Ubuntu 11.04 to do a series of installations (that I needed help with) and then disconnected.

Shortly after, I started experiencing random things- solitaire games randomly being opened when I return after leaving it unattended and some other odd things.

The icing on the cake was this:

When I typed the 'who' command in the terminal, here's what I got:

*'myusername' tty7 2007-04-26 00:14 (:0)

*'myusername' pts/0 2011-11-11 21:45 (:0)

So my concern is that I didn't even own this laptop at that date, yet alone have Ubuntu dual booted on my system.

Think I'm being hacked? or is that just the date of the origin of Natty desktop environment?

Who knows. I might be paranoid.

Best Answer

If you think you are being hacked, there are several quick things you can do to stop remote access:

  1. Run vino-preferences and see if it is activated. If it is, uncheck all options and if you need it then change the password.

  2. Change your user password. That would make it tough to access via ssh with that user.

  3. Verify that there is no other user account. From terminal you can do something like this: cat /etc/passwd|grep '/bin/bash' but there are other GUI and terminal ways.

  4. Disable the SSH server if you happen to have it install. Type sudo apt-get purge openssh-server. If you don't have nothing will happen. If you do have it, it will ask you for removal.

Up to now you have just blocked the VNC and SSH services from being accessed remotely.

Now check if you have some script running when the PC starts. For example something that is being send to somebody outside. This implies having to check a lot of places. For example:

  • Check all /etc/rc* folders. For example /etc/rc0.d, /etc/rc1.d....
  • Check /etc/init.d from a weird service that is not supposed to be there.
  • Check that cron is not running something. Example: crontab -e will show what cron runs for your user.
  • Check that ufw is enabled and does not have some port forward. Also check iptables for this. If a port is forward it might look like he is trying to have direct access to the PC.
  • Any other place that might be used for automatic running something.

There are many other ways but this are the quick and basic.

Related Question