jaredharley.com | Blog

This is what happens when you're lax with security measures. Yes, I got hacked. Thankfully, no permanent damage was done. But let me start from the beginning.

I routinely use UltraVNC (stands for virtual network computing) to remotely access my computers at home from other locations - usually work. It's a quick and convenient way to hop on my network and fix something - even on Tanis' laptop, when she's having a problem! Well, UltraVNC provides an encryption feature that I've always used up until recently. I turned it off when I was using my Mac to access the webserver, because the vnc software I was using didn't support the encryption. Of course, to compensate, I made the password stronger.

I've also been working at setting up a domain at home, and Josh was helping me, so I changed the password to something simple, and then didn't change it back. Well, yesterday I connected to my server to see the screen below:


What you see is a piece of software called Dark Mailer. Even the name suggests a nefarious purpose. According to Wikipedia, it is a piece of software designed for mass emailing "newsletters". You can bet your sweet ass (percream? - for you, Tanis!) it wasn't mailing "newsletters." In any case, the blue text was just scrolling and scrolling. I freaked out. I stopped it right away and started trying to figure out what had happened.

Apparently someone was able to access my computer through my vnc connection (or they were sitting at the computer, which didn't happen). They uninstalled my antivirus, copied the Dark Mailer software from the web onto the desktop, ran the program and loaded a huge text file of email addresses into the program to begin emailing. I caught and stopped the program after it had been running for almost 19 hours, sending 231,746 emails - that's more than 3 emails a second!

Once I had stopped the software from sending, which, thankfully, was as simple as clicking "stop," I knew I had to do something. I couldn't leave my computer as it was, because my entire network was vulnerable. I couldn't shut it down because it's set to restart automatically (for when the power goes out). There was one thing I could do - lock down the network so no traffic goes in or out. Using my firewall, I did just that.

Once home from work, I wanted to take a closer look and make sure everything was okay before I opened the network back up.

The main screen of the Dark Mailer software - you can see it had a list of 679,869 emails to send. Also, in the status, you can see that my IP address was being blacklisted from certain domains - I'm guessing based on the amount of data (number of emails) my IP was sending through:


Also open were 2 Firefox windows - one with the webpage where the software was downloaded, one where the email list was downloaded:



Of course, before opening the network up, I reinstalled my antivirus and ran a check. I also used the Process Explorer from the Sysinternals Suite to look for any errant processes that were running. No viruses, no processes I didn't recognize. I removed the UltraVNC software, opened the network, and moved the server inside the domain. I only plan on using Microsoft's Remote Desktop Connection from now on.

Thankfully, everything turned out all right - to my knowledge, no other changes were made. I've been carefully monitoring the computer, but I haven't seen any activity that is remotely suspicious.

What I've learned:

• Dictionary passwords are always bad. Even for a short while. Use strong passwords.
• There is no reason to leave your server logged into the Administrator account all the time.
  
• Use strong passwords!
• Use encryption!

Be careful, and don't think it won't happen to you - I was lazy and thought I was "okay" - you've always got to be secured!

Edit: I just checked out the website in the Firefox images - it now looks like this:

Looks like I wasn't the only one to get hacked, and someone retaliated (stole my idea!).