I've been Hacked. Now What?

[JeffTronics]

Hi,

I watched my computer get hacked into tonight. I'm hoping it was only for a few moments since it looks like they accessed my VNC server.

What happened was, my display woke up (set to sleep after 15 minutes). Then, I noticed my browser windows were being controlled. Specifically, opening up a wal-mart page.

I notice the VNC server icon was active showing a connection - and the pointer was moving around. I immediately disconnected my server services including the VNC client. The only port I should normally have active is SSH/22. It was my bad to discover I configured my new router incorrectly by opening the VNC port. I normally tunnel VNC through the SSH connection.

My questions are:

How can I determine if the hacker connected via my SSH connection?

How I can see if perhaps it was hacked into earlier, when I wasn't home?

How can I verify whether something was put on my system that might be sending my personal information outbound?

The console is showing break in attempts prior to my witnessing what happened. And, there's some activity to coincide with the break in. But I'm not an expert on interpreting this stuff. Is this something I can paste here for others' to help me understand?

Thanks,

JT

[bramley]

Forget the questions!

Your first priority is to ensure all sensitive online info is protected.
Run do not walk to all online bank accounts, etc and change your passwords. Don't use the afflicted machine to do this.

Then worry about the details.

[benwiggy]

Quote: Originally Posted by JeffTronics How can I verify whether something was put on my system that might be sending my personal information outbound?

No verification required.
You know that you've been hacked. You cannot trust that computer. Even if you find something they've done, you won't know that it is everything they've done.

Do a clean install of the OS and then transfer your user data from your backup. You should check that you don't copy over any suspicious LaunchDaemons or Launch Agents or Login Items.

[JeffTronics]

Thanks for the straightforward suggestions.

• I have begun to make the calls to get new accounts numbers
• Changed all passwords for everything I have a password for.
• Refreshed IP address from my ISP
• Closed all ports on my router
• Successfully restored my Hard Drive using a 2 month old clone. Plus or minus a few apps and settings to restore, it's a safe copy because it was prior to when I had my new router and opened the vnc port

.

Anything else I need to be prudent about?

[cpragman]

In the future, you can harden SSH a lot more than it sounds like you've done so far.
1. At your router, redirect some high, obscure external port to map to the SSH port on your internal network. This is security by obscurity, but means your network won't respond to the typical Port 22 port knockers that have been knocking at your system all day long.
2. In the SSH config files, turn off password access as a permissible authentication method. Only allow RSA keys as an authentication method. Generate a public/private keypair for your self.
3. Review your secure.log periodically.

[JeffTronics]

At this point, I want to say thanks for nudging me in the right direction with some great suggestions. I'm back up and running with still, some questions and concerns moving forward.

Back to an earlier comment,

Quote: ...suspicious LaunchDaemons or Launch Agents or Login Items

What's the best way for me to see / monitor if and what daemons or launch agents are running?

I'm mostly confident about the clone I used to restore my system but after what happened I'd like to be more diligent going forward. I use snitch and am not seeing any abnormal outbound traffic. Just the installed apps and services calling home, as intended.

When configuring my 2Wire modem's firewall protection to monitor excessive session detection, it detects outbound traffic immediately and I need to disable this feature in order to load web pages. Because this is a new router for me, i'm wondering if this is just a pesky feature that will react to almost any activity. The verbage for the help text states the activity is commonly caused by 'blaster' type viruses. I don't think this is the case on both my macs, for a pc virus. The feature is turned Off, by default when received by AT&T.

As for SSH. For now, I decided to put-off configuring any remote access connections to my computer and turned all services off, and closed the ports on the router.

Looking back on what happened. When examining the log files, it appears I was hacked for about 3 min. 46 sec. I was very lucky to be near my computer at that exact time and noticed the VNC connection becoming active.

They were attempting to order a game using credit card info they saved to my desktop using VNC file transfer. My already opened browser window was controlled to go to walmart to purchase a game!

I immediately grabbed control back disconnecting the connected client and noticed the client's IP address was from outside my network. This alleviated the additional concern - if they were inside my wireless network.

Was I targeted? Beyond my leaving the VNC port open on my router (VNC client was not pw protected because I normally tunnel it through SSH), what made someone pick my IP address to mess with? Was it picked out of a hat? Can a neighbor be using a WI FI sniffer to see my public IP?

Do Torrent clients broadcast my IP over p2p, so someone can attack it to see what's open, and they got lucky?

I had port 5900 open, so I can see in part why I was a target. But why my IP address?

[NovaScotian]

Launch Agents live in ~/Library/LaunchAgents and /System/Library/LaunchAgents, and Launch Daemons live in /System/Library/LaunchDaemons. Their names tell you whose they are -- they contain the URL in reverse. Looking at them in Quicklook, you can see what they do or start.

It's been my experience that script kiddies are always scanning IP Addresses for ports that are of interest to their schemes. I don't worry too much about that because I don't have any vulnerabilities that I know of and things like login passwords, bank account numbers, and credit card info are all locked up in 1Password.