NEES HELP! Unwated user accessing my laptop via WiFi

[Gonzo365]

Hi everyone, I'm a Linux newbie. A few weeks ago I decided to try out Mint and while it's great, I still feel lost at times.

So my issue is this, I'm renting a place for the week that offers WiFi for all tenants to use. I was connected last night and left my computer for a few minutes, when I came back someone was on my computer going through folders and files. I shut it down and have disconnected all my devices from the Wifi.

What can I do in this situation? I have already reported this to the building owner but I want to know how this person was able to connect to my computer or how I can figure out who it was?

I had ufw enabled and set to public protection if that helps. Thanks in advance

[jimallyn]

when I came back someone was on my computer going through folders and files

How do you know that?

[AZgl1800]

His statement sounds as though he was witnessing an app like TeamViewer running.

and how did they get that installed in the first place?
I also need to learn how to prevent that from happening.
I live in a lot of Motels several times a year.

My defence has been to enable my VPN so the local WiFi folks can't target me.

[Gonzo365]

when I came back someone was on my computer going through folders and files

How do you know that?

Because I saw the mouse physically moving around on the screen, opening folders. It's as if they had a remote connection to my computer but how would that be possible? This is a fresh install of mint, the only thing I've downloaded and installed is PIA which I've been using with no issues on other computers for nearly a year now.

This is why I assume it was someone on the shared WiFi accessing my computer.

[Gonzo365]

My defence has been to enable my VPN so the local WiFi folks can't target me.

I do run PIA at all times with the Killswitch enabled.

[Pierre]

unless you know off some Remote Program, that is / was running on your machine,,
then there is still no way of checking for this . .

so, you can now have two options:
- go for the Nuclear Option & re-install the Linux System, again.
- keep using the machine, until you see this issue again .. it may not ever occur, again.

ie: I've been advising an OP in an similar position, and they have just kept on using their machine,
as this is often an hardware issue - - particularly That Mouse - - can move, By Itself,, for various reasons.

YES - - I've seen this too - - where The Mouse Moves By Itself - - it's an hardware issue.
( an external mouse,, not the inbuilt mouse on an Laptop & it was to do with the MousePad that it was resting on )

[smurphos]

This is a fresh install of mint.

Which version? 19 Stable has no remote access software installed by default, but prior versions (including 19 beta) shipped with vino pre-installed. However by default it was not active.

This could happen quite easily if

1)Vino was enabled without password protection or a weak password.
2)There was a UFW rule to allowing incoming for the VNC ports, UFW is off, or UFW allows incoming connections generally.

[Gonzo365]

unless you know off some Remote Program, that is / as running on your machine,,
then there is still no way of checking for this . .

so, you can now have two options:
- go for the Nuclear Option & re-install the Linux System, again.
- keep using the machine, until you see this issue again .. it may not ever occur, again.

ie: I've been advising an OP in an similar position, and they have just kept on using their machine,
as this is often an hardware issue - - particularly That Mouse - - can move, By Itself,, for various reasons.

YES - - I've seen this too - - where The Mouse Moves By Itself - - it's an hardware issue.
( an external mouse,, not the inbuilt mouse on an Laptop & it was to do with the MousePad that it was resting on )

The mouse wasn't just moving though, it was clicking on folders and opening them.

What are some remote programs I can check for to see if they are open or running? I aussumed they were disabled by default, I turned off display sharing already.

[trytip]

this is a serious issue if someone actually got access to your laptop on a public wifi. have no clue how you setup ufw to use public protection. but even if someone got in using samba or ssh you would not see a mouse moving unless there was a remote desktop connection.

can't be certain unless you are certain that someone did open files. there's not much info, so no way to tell what the situation is. install gufw if you don't have it open it and turn it on deny access to incoming and allow outgoing. in the report tab you can see what's connected. what do you have for connections?

[Pierre]

" The mouse wasn't just moving though, it was clicking on folders and opening them".
- - well - - I've seen that too,, as yeah,, it was seriously Ghost Like - - weird stuff.
and it was still The Mouse Playing Up .. . .

so, anyway, there is several ways to remote into your machine,
- but not as easy as it is with that Windows system.
your best method & for peace-of-mind as well - - is to re-install the whole LinuxMint System - again.

[Faust]

..... but I want to know how this person was able to connect to my computer or how I can figure out who it was?

Those are the key questions , and they're tough to answer , unless you already have some pen-testing / forensic skills .

Everything you say points to someone on the same local network having deliberately compromised your machine ( eg. installed a remote desktop app )
What does the mouse pointer do if you disconnect completely from the wifi /ethernet ..... Nothing ?

Well in that case , start narrowing down the possible suspects ....
How many people in that building have access to the wifi ?
Where is the router physically located ?..... Is that where the landlord / janitor lives ?

If I were in that position , I'd back-up my personal files and do a fresh install of the OS , just for safety , then I would go hunting ...

BTW - Firewall offers no protection in this situation .

[Gonzo365]

This is a fresh install of mint.

Which version? 19 Stable has no remote access software installed by default, but prior versions (including 19 beta) shipped with vino pre-installed. However by default it was not active.

This could happen quite easily if

1)Vino was enabled without password protection or a weak password.
2)There was a UFW rule to allowing incoming for the VNC ports, UFW is off, or UFW allows incoming connections generally.

I'm running Mint 18.3. Vino was enabled because I didn't know about it before this happened (I've been reading for hours searching about all possible ways someone could have done this) but even then the security feature was enabled where I had to confirm any connections. I've since set a password and disabled it all together.

What I bolded in your post is the only thing I could think of. Is it possible if the ufw was set to home that someone could do this? I don't recall if it was or not because I quickly disconnected and changed security settings to be more strict after this happened.

[HaveaMint]

If Vino-Server is installed and not set to where you have to physically allow it by clicking ok on your PC and no password / firewall then it is easy to take control

[HaveaMint]

If you save your passwords to your bank account on that PC I would change it and NOT ever have your browser save that kind of info.

[Gonzo365]

..... but I want to know how this person was able to connect to my computer or how I can figure out who it was?

If I were in that position , I'd back-up my personal files and do a fresh install of the OS , just for safety , then I would go hunting

BTW - Firewall offers no protection in this situation .

I've had no issues since disconnecting from the LAN. There are only 3 other people in this building. I normally have access to Kali but didn't bring it with me as I'm a newbie on that environment too.

If firewall is useless what good would a fresh install be? Couldn't they exploit the same vulnerabilities as before?

Also, how exactly would you go hunting? What would be your game plan in this situation?

[Faust]

.....I normally have access to Kali but didn't bring it with me as I'm a newbie on that environment too.....

There you go .... everything you need is right there .

Find yourself some good tutorials and study up , but beware of posting noob questions ....
..... some of those forums can sense noobs /skiddies /wanabees from a mile away , and they can be harsh !

I won't be commenting any further because we may quickly head into murky waters .... ethically/legally/morally

Other than that .... get yourself a quality VPN , just for starters , before you ever connect to that network again !
Good luck and good hunting .

[Mattyboy]

did you consider running

Code: Select all

last

in terminal?

[smurphos]

Fresh install is recommended - just in case an attacker has planted any unwanted programs or tweaked settings to facilitate ongoing access.

As advised a VPN is basically mandatory or any public/shared wifi. There are plenty of tools out there to allow even the most amateur script kiddy to listen in on wifi traffic on the same network, and presumably everyone has got the same WPA2 key so that is no barrier. The Firewall is no help here.

Once you've got a fresh install and VPN, enable the firewall. Use the home profile not the public profile. Then apply all system updates to ensure all known security vulnerabilities are patched.

Then you can pen test your new install on the shared wifi if so wish.

Personally, I'd invest in a 4G dongle or 4G wifi router. They are not expensive and at least here in the UK 4G is coming down in price, and usage limits are going up to the point where it is a reasonable alternative to traditional ADSL or VDSL.

[gm10]

If firewall is useless what good would a fresh install be? Couldn't they exploit the same vulnerabilities as before?

His point (hopefully) was that a firewall is useless in a situation where your system has already been penetrated and backdoored. Your firewall will just be bypassed, your own system will initiate the connection to the attacker's server so your firewall never blocks it.

On a fresh install, however, the situation is different. First thing to do before enabling the network is to enable the firewall with a policy to block incoming connections. That prevents a remote attacker from connecting to any services running on your system, so unless you specifically install software on your device to initiate remote connections or careless install some sort of malware that does that for you, then you are basically safe from getting compromised over a network (nothing is ever 100% but for practical purposes you will be).

And yes, definitely completely clean install after you got compromised, keep nothing. Hope that your UEFI didn't get compromised...

[phd21]

Hi Gonzo365,

I just read your post and the good replies to it. Here are my thoughts on this as well.

Although it is not uncommon that your mouse cursor can move on its own, it would be very unlikely that your computer would be browsing your filesystem on its own which does indicate an intruder / hacker.

The firewall is very important and should be one of the first things anyone should enable (turn on) which by default blocks all incoming connections. But if your system is already compromised, then the firewall is not much help.

As was already stated, the safest option is to reinstall Linux Mint after backing up anything important. This way if the intruder(s) uploaded any remote access or remote control malware the reinstallation will not include that. Use a new computer name and login name and password. It only takes about 15 minutes to install or reinstall Linux Mint, run the updates, then install any apps you want and restore your backed up files and folders.

Because your system has already been hacked, change all your passwords now.

You can create a bootable DVD of Kaspersky antivirus antimalware, or one of the others (Avira, DrWeb, etc..) boot to that, update its definitions, and scan your entire system.

Dr.Web Administrator emergency aid kit Free utilities (DVD or USB stick)
https://free.drweb.com/aid_admin/?lng=en

There are various relatively easy steps to help prevent your systems from being hacked or taken over using home or business wired or wireless networks or public wifi networks.

- Enable the Linux Mint firewall first...

1.) Use good strong passwords that are 17-20 mixed characters and symbols (do not use spaces, #, or quotes). Do not use the same password for everything. If need be, use a password manager to store and or create these passwords, KeePassXC is excellent. Remember to change your passwords every now and then. If your computer is ever unattended (left alone) especially while you are away, use the Screen Saver (screen locker) requiring your password, maybe even setup a Bios boot password too.

2.) install "fail2ban" or something like it (denyhosts, "heatshield"?, etc...) to prevent hackers from trying multiple times to crack your login. This also creates a log of any IP addresses which you can review.

3.) If you have your own hardware router, even a portable mini travel router, use that to connect with any public Wifi or foreign wired Ethernet or wireless networks with your own WPA2 security logins and strong password and any of your computers, phones, etc.. always connect to your router. Make sure all security features are enabled (the hardware firewall, maybe even Mac address hardware filter limiting, etc..)

4.) Change your local ISP DNS server IP addresses to neutral secure ones from a reliable DNS provider which can easily be done in hardware routers and or desktops and Internet accessing devices (smartphones, etc...)

5.) Use a good VPN provider with a good password. PIA (Private Internet Access) is a great VPN provider. You should change the password for any existing VPN accounts and their server connections.

6.) Disable any remote control software like "Vino" when not in use and of course use strong passwords and any other security features that remote access apps may have.

7.) Some chat messengers are not secure and can provide "backdoor" access to your system, can install malware, etc... like Skype and Facebook (turn these off when not in use). Use the "Firejail" sandboxing app with these and all Internet enabled applications to help protect your system. There are secure messengers ("qTox 'Qtox' ", "Wire", Ring, Jitsi, Linphone, etc...)

8.) With all Internet browsers, there are extensions and add-ons which should be installed to prevent websites or their advertisements from installing malware and such. My favorites are "uBlock origin" (some browsers have built-in ad blocking now), Disconnect, Privacy badger or Privacy Protector Plus, https everywhere, etc...

There are really good posts on this in this forum search for "online banking", public wifi, etc...

Hope this helps ...