First, what happened:
I can’t believe it, but my home machine was actually hacked into this weekend. I had installed RealVNC 4.1.1 some time ago, so I could access my machine from afar, although frankly I use RDC much more often, as it is more secure. I just never turned VNC off… Well, I sure should have. See this link for information about the vulnerability in this version of Real VNC:
http://secunia.com/advisories/20107/
The screen saver always locks my desktop, it keeps the kids off the computer unless authorized. In the morning when my wife entered the logon password as usual, she watched all the icons on the desktop disappear, all that was left was the wallpaper. Ctrl-alt-delete did nothing. I went to another machine to review this one to see what might be wrong, and what I found put a lump in my throat. The event log showed many connections to VNC, and following the last one, I saw my AntiVirus and many other services being shut down. Beyond that, nothing was logged, but clearly someone had maliciously invaded my machine! Paranoia kicked in, and I immediately turned off the machine. Who knew what it was doing...
What I did about it:
Fortunately for me, I recently started making image backups of my system hard drive. See my blog entry about that here. I was very curious what had been changed and altered, but I didn’t want to actually run the machine in its state. So I booted my GParted CD, and made a copy of the current C: partition to some free space on my external USB drive. Then I used my BartPE bootable CD, and used DriveImage XML to restore the C: partition to its state the last time I backed it up (about a week earlier). I then restarted the machine, and, after immediately changing my logon password and disabling RealVNC, I did a file by file comparison between my current (restored) image, and the copy of the image (now the G: drive) that I had made before doing the restore. I found some odd things, if anyone wants more details, I’d be happy to share them. I am assuming it was the hacker who changed the following files in my system directory:
Mrt.exe
Msscp.dll
Ntkrnlpa.exe
Ntoskrnl.exe
I am very concerned that the password my wife entered was immediately sent to the hacker. I have no way of knowing, really. Having caught it quickly, though, and restoring the entire image, changing my password, and eliminating the source of the hack, I am pretty confident that I have a clean machine once again.
What to do to avoid this in the future:
Here is what I did wrong, and what I intend to do to fix it, because this could have been avoided. If you have ideas that should be added to the list, please let me know…
1) Since forever, especially at home, it is my machine, I am master of it, and therefore I am a system administrator. What a pain, logging off to install some software... Well, I think I’ll bite the bullet and change my habits. The hacker could never have stopped the antivirus software or done most of what was done if the machine were normally logged on as a user with little or no authority. It is now time to protect my machine from myself and only log on with administrative authority when it really is necessary, as all security experts recommend. This will be a hard habit to break.
2) Close ports that are not being used. I stopped using VNC to access this machine, I should have uninstalled it. At least I should have removed the port from the virtual server list in my NAT router.
3) On a regular basis, visit http://secunia.com/software_inspector/
This site has a Java based inspector that will look for signatures of application versions that are known to have vulnerabilities. I discovered this when I googled “VNC vulnerability” to see if that could be how the hacker got in. Google found the page pointed out at the top of this blog about this version of RealVNC, and I would have at least upgraded to a fixed version.
4) Keep doing my drive image backups. It is probably best to take the external drive off line following the backup, (assuming it is not needed for some other purpose) just to keep it safe from any hacking that does occur. At least make sure the logged on user has only read access to it, and run the backup under another account.
I hope this never happens to you!