Someone just remotely entered my computer and start googling for things. How?

The intruder started opening windows and in firefox opened the search prompt and start typing in some commands I didn't capture.

Then he opened Google and searched for:

&fs:ik &del ik &svcnost.exe &exit

What is this command?

How did someone get into my machine? In Windows this has never happened and this feels like a huge breach of security of my personal PC.

I've already went ahead and disabled remote desktop, but when it was enabled it clearly mentioned:

enter image description here

So does this mean that ANYBODY could have entered and messed with the machine? I set the option to notify me when someone entered otherwise I wouldn't have been the wiser.


Solution 1:

They got access because you had Remote Desktop enabled for some reason. You could do similar under Windows.

For security, no matter what OS you are running, do not allow incoming connections unless you know how to secure them, and then only allowing unprivileged usage limited to only those functions you need remote users to have.

svchost.exe is associated with a number of threats so your intruder may have been looking at popping it onto your machine. Of course it is a Windows executable so that wouldn't have impacted you on this Ubuntu box.

Solution 2:

As you can see from your screenshot, you have explicitly allowed unconfirmed, passwordless login. All desktop sharing is disabled by default, and if you enable it, you must confirm each connection. As you unmarked the confirmation box, you granted access for all.

Security measures only works when they are enabled. The same would have happened if you granted access for all on a Windows box.