I just installed my new desktop with OpenSuse 11.2 64bit. Everything works fine (more or less).
Since last night I have some strange events on my system. While working on my desktop I just so a small window on the upper left popping up that my system will be now remotely controlled by another system. It shows me the IP Address — unfortunately to fast to make a note for everything.
However last night I just switched off my computer due to panic. I did not think much about that since I thought this might be a coincidence.
Just 10 Min ago, same thing happened again and this time the other user was really doing some action on my system (I could see how my mouse suddenly started to move and how windows got closed etc.).
What is going on? I never ever confirmed that someone can control my system. I installed the remote desktop but only for my own purpose and as far as I remember I did not enable anything so it should not work.
How can I avoid, that someone is taking over my system without asking me or that I need to confirm? The firewall of OpenSuse is running and I am sitting behind a router which has a MAC filter and the internal IP Address is not visible to the outside. How can the user bypass my security settings?
Is there a way to see who is trying to access my system?
Do you think it’s someone on your local network, or is yours the only PC on that connection? If so, it’s probably coming in from outside.
You didn’t say whether this was simple RDP or VNC, but in either case, you need to change the port from the default. I’d be willing to bet that whoever was trying to get into your computer has tried in the past, and it was pure luck that you happened to be sitting there.
It is defenitely just me on the computer and in the network. I just de-installed all remote desktop components incl. telnet, rsh, and so on. Additionally I checked my firewall again for some missing information. Finally I installed fail2ban but I think this is not really solving my issue.
VNC is still installed but I confirmed again in the control center that remote administration is not allowed on Remote Amdinistration (VNC).
As written I briefly saw the IP address. Do you now if there is a log file stored somewhere which tracks the IP address?
I confess when I read this, I also thought you were pulling a 1st April Fools on 1st of March.
The very first thing I would do is change passwords for both regular user and for root.
Then I would check all logs for unusual behaviour. Don’t forget to check the bash shell “history” (you can do that with something like " history > my-bash-history.txt " and ensure everycommand in that file “my-bash-history.txt” was sent by you. Do that as both a regular user and with root permissions (maybe give the root permissions file a different name).
If your firewalls are as secure as you say in your 1st post, it does read to be very unlikely this is happening. Did you open port#22 (or vnc or ssh server) anywhere?
Does anyone “unsavory” have physical access to your PC ?
Thanks to all of you for your reply. I checked the history of my regular user and of the root user and none of them appears to have unusual behaving or commands which I did not issue.
I guess I was just lucky and I will definitely check my system the next couple of weeks. I added the two lines to my rsyslog.conf and re-cecked my firewall for potential open ports.
is your router wireless? I ask cause I have seen this before with open security rules (ie not defined) with a wireless lan managed through a wireless router using wep (very simple security no encryption) and a knowlegable person with-in wireless range. If these situations match up somewhat with you maybe try using wpa wpa2 on wireless and do some network homework
If you have a wireless router, at least disable dhcpd in your router setup or use MAC address filtering (or just do both) and use static IPs in your lan.
I do have a wireless router but I enabled WPA2 (incl 63 digit password), MAC filter etc. I already checked the Log of the router and I could not see any indication for the hi-jacking.
Since I un-installed all remote desktop, vnc components and disabled all ports on the firewall (for a while) the message did not appear anymore. I will wait for a couple of weeks and see what is going to happen and then after a while I will open up certain ports again.