A little security reminder...

I've been so darn busy lately, I haven't had time to post anything. I even have a very tempting stack of books waiting for my review that I've been neglecting for weeks now. More on that soon hopefully.


In the mean time, I thought I'd share a fun experience I had recently. I've been going through some network changes in my data center (i.e the closet in my home office.) I wanted to upgrade the speed on my DSL line and that meant I had to move from an old frame circuit to a new ATM circuit. This conversion process meant my line would be down for up to two weeks. Since I host three (admittedly small) websites and mail servers on that line, two weeks of down time didn't sound very appealing to me.

So, being a resourceful guy, I took Comcast up on their $20/month special for three months of cable modem. Got the cable up, moved my DNS entries over to the cable modem IP address (no port blocking!) and proceeded to begin conversion of my DSL line. So far, so good...

This is all just background so you'll understand what happened next. For months, I've been hosting my web sites on a DSL line and a Linux box running Domino. I also have a failover Windows box running Domino that replicates periodically. So, if I need to do some maintenance on my Linux box, I just change some router entries and the Windows box takes over for a while.


Since there was some expected delay in getting those DNS entries changed from DSL to the cable modem IP, I left the Linux box up on the DSL line's router and put the Windows box on the cable modem's router. That way, both IP addresses would respond properly while routers around the world got the message.

Now, I have had RealVNC running on that Windows box for a year or so. It's password protected and I never had a problem with it. It was still running when I switched over to the cable modem. Now, I only have very specific ports open through the router from the outside: 80, 1352, 25, 110, the basics... Of course, I also had the VNC port open. Within days (possibly hours, I haven't nailed it down) of opening that VNC port on my cable modem, someone hacked it and was playing around on my server. What's worse is that it took me a couple weeks to notice it.

Here's the fun part. The other night, I was standing near my home office door and I heard a 'ding' sound from the computer. As I was coming around the corner walking toward the computer, I looked at a reflection of the monitor and saw a dialog box on the screen. When I came around the corner and looked directly at the screen, the dialog box was gone. What the...? As I sat down to look more closely, I saw the mouse moving! I noticed the VNC icon in the tray was black, meaning it was active, so I right clicked on it and disconnected the user. Then, I immediately closed the VNC port on the router and waited for my pulse to slow.

I did some poking around and found the nice folks playing on my computer had installed an FTP server and had been happily using my bandwidth and disk space to serve files. There were also several backdoor and virus-type things they added for me. Gee, thanks.

I cleaned it up as best I could and I plan a full reformat, OS reinstall in the near future. So, my lessons?
1. Keep up on security patches. VNC had released an important security update that I hadn't installed. I was only back one level, but it was an important one.
2. Monitor your logs. I had plenty of messages in my event log that would have caught my attention if I'd looked.
3. Beware cable modems. Why was I fine for so long on DSL but got tagged immediately on the cable modem? Packet sniffing? Or just a more popular subnet for mining?