Remote desktop abused

Hello all,

Just a few moments ago I got notified by the remote desktop application that someone logged in. As I have not given out my remote desktop information to anyone it has to be some sort of attack. I immediately rebooted and I noticed erratic hard drive activity. A few applications with ‘tracker’ in their name were causing major cpu load so I killed them. Right now my computer is not logged into the Internet so it’s probably impossible for any more of my data to leak out.

Can someone suggest the best way forward from here? I take it the first thing to do is to install a new openSUSE copy.

For starters,
You’ll probably have to provide more specific details… like what Remote Desktop app you’re using, what technology/protocol you’re implementing, if you’ve enabled/disabled any Guest/anonymous accounts you’re aware of, and in particular if you’ve enabled “Desktop Sharing” anywhere… Because if you’re currently logged in, without Desktop Sharing enabled ordinarily a remote user would have to log you off to himself logon.

In other words, try to at least figure out what you did wrong (because a default install ordinarily won’t allow an intrusion like this) so you won’t repeat your mistake. Then, you can decide whether you need to pave and rebuild or simply modify your security. If you can’t figure out what you did wrong, then various options can be considered depending on what you feel comfortable with.


I used the build-in Remote Desktop application found in the Control Center of openSUSE 11.3 to set up my machine to allow viewing and controlling of my desktop. Now this will probably sound very stupid - but I didn’t set a password there because I thought that was only used to override the default user name and password -,-. I also didn’t use the “confirm each access to this machine option” because I wouldn’t have access to my PC to confirm that access.

Does openSUSE maintain a log of remote desktop logins?

Florisjuh wrote:
> I didn’t set a password there because I thought

live and learn…
when it comes to security, sometimes it is a lot better to read than
think :wink:

> Does openSUSE maintain a log of remote desktop logins?

probably, i don’t know exactly which one but all are in /var/log and
i’d start by looking in /var/log/messages around the suspect date…

depending on the remote desktop application you are using there may be
a /var/log/[directory] with the logs you are looking for… (i don’t
let anything into my machine, so i can’t check)

CAVEAT: [posted via NNTP w/openSUSE 10.3]

What if there were no hypothetical questions?