The incident occurred a day after I was giving a lesson on using remote
administrative software, including VPN's and other online services. I
had installed Real VNC during one of my demos and was actually
explaining security measures to take while port forwarding and
configuring firewalls. I removed most of the other programs and but only
closed the VNC server and did not unregister the service.
Earlier that day my wife restarted my computer while I was at work and
of course the program was active and could be seen in the task bar. I
was out late but when I came home and sat down in front of my desk and
after my monitor turned on I could see my mouse cursor moving up and
down the programs menu on its own.
The vnc icon in the task bar indicated an outside connection. I was able
to click on a hotkey I have for activating my notepad and typed, "What
are you doing Dave?". A second later I hit another hotkey that I have to
deactivate my network connection (I use it to stop annoying updates
while I'm working). I quickly checked the event viewer to see how long
he had been logged in. I feared the worst but was glad to discover I had
reached my computer 45 seconds after he had logged in. I have the
security logs turned on and it seems nothing was accessed. After
checking all of the other typical things I believed I got off extremely
easy given my carelessness.
However, I did find that there had been several attempts to access my
computer in my event viewer. These started soon after I had activated
the vnc service. I counted five so far and they all say the following
with different IP addresess:
-Connection, accepted: 82.235.206.68::47248 The time was 10:35:33pm
The next log said:
-Connection, closed: 82.235.206.68::47248 (clean disconneciton) The
time for this was 10:35:33
I'm presuming that this is a log came from a feature of Real VNC and
that the address is the computer trying to establish a connection or
someone looking on 5900 ports.
It would seem that this type of activity is happening all the time and
all it takes is some mistakes on the behalf of the user and a computer
can be vulnerable. I made several mistakes that also caused this to occur:
-My screensaver password protection was set to two hours (my wife found
it annoying when it was set to 10 minutes and kept nagging me, you
married guys know what I'm talking about).
-I had a weak password for my VNC Server since I was just doing a demo
and I was going to uninstall it right afterwards. I don't even remember
what it was.
Although, I was clearly careless I don't believe these conditions are
uncommon. With people from the US and abroad searching for vulnerable
computers this can happen to anyone.
The person that got through was probably an armature since in 45 seconds
an expert could completely compromise a system. The person was most
likely too exited that he got through to do any real damage.
Anway his IP address is 201.225.93.93::3246 or at least this is what the
logs report. It's definitely not my address. I would also, for education
purposes, would like to hear from anyone about this subject and please
excuse the length of this letter but I will also be using this for
educational purposes.
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
