Jorge, Current VNC Server releases include measures to prevent brute-force attacks against servers. These prevent attackers from repeatedly attempting to connect to the server, trying to guess at the password, making it *extremely* unlikely that the "attacker" in this case tried connecting and managed to guess your weak password - it's much more likely that the person connecting actually knew what the password would be. Are you sure that they weren't simply one of the people that you had previously been demoing to?
We don't advise use of VNC Free Edition across the Internet except via some sort of secure tunnelling protocol. VNC Enterprise & Personal Editions have in-built session security for this purpose. All current VNC Server releases also support querying the local user to accept connections, which is advisable if you are concerned that the password you are using is weak or widely known. If you still believe that this was some sort of malicious attack on your system then you may wish to contact your ISP to report the fact that their users are apparently being scanned for poorly-configured network services. Cheers, Wez @ RealVNC Ltd. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jorge Vizcarralagos > Sent: 08 February 2006 05:29 > To: [email protected] > Subject: I was hacked by a VNC user! > > The incident occurred a day after I was giving a lesson on > using remote > administrative software, including VPN's and other online services. I > had installed Real VNC during one of my demos and was actually > explaining security measures to take while port forwarding and > configuring firewalls. I removed most of the other programs > and but only > closed the VNC server and did not unregister the service. > > Earlier that day my wife restarted my computer while I was at > work and > of course the program was active and could be seen in the task bar. I > was out late but when I came home and sat down in front of my > desk and > after my monitor turned on I could see my mouse cursor moving up and > down the programs menu on its own. > > The vnc icon in the task bar indicated an outside connection. > I was able > to click on a hotkey I have for activating my notepad and > typed, "What > are you doing Dave?". A second later I hit another hotkey > that I have to > deactivate my network connection (I use it to stop annoying updates > while I'm working). I quickly checked the event viewer to > see how long > he had been logged in. I feared the worst but was glad to > discover I had > reached my computer 45 seconds after he had logged in. I have the > security logs turned on and it seems nothing was accessed. After > checking all of the other typical things I believed I got off > extremely > easy given my carelessness. > > However, I did find that there had been several attempts to access my > computer in my event viewer. These started soon after I had activated > the vnc service. I counted five so far and they all say the following > with different IP addresess: > > -Connection, accepted: 82.235.206.68::47248 The time was > 10:35:33pm > The next log said: > -Connection, closed: 82.235.206.68::47248 (clean disconneciton) The > time for this was 10:35:33 > > I'm presuming that this is a log came from a feature of Real VNC and > that the address is the computer trying to establish a connection or > someone looking on 5900 ports. > > It would seem that this type of activity is happening all the > time and > all it takes is some mistakes on the behalf of the user and a > computer > can be vulnerable. I made several mistakes that also caused > this to occur: > -My screensaver password protection was set to two hours (my > wife found > it annoying when it was set to 10 minutes and kept nagging me, you > married guys know what I'm talking about). > -I had a weak password for my VNC Server since I was just > doing a demo > and I was going to uninstall it right afterwards. I don't > even remember > what it was. > > Although, I was clearly careless I don't believe these conditions are > uncommon. With people from the US and abroad searching for vulnerable > computers this can happen to anyone. > The person that got through was probably an armature since in > 45 seconds > an expert could completely compromise a system. The person was most > likely too exited that he got through to do any real damage. > Anway his IP address is 201.225.93.93::3246 or at least this > is what the > logs report. It's definitely not my address. I would also, > for education > purposes, would like to hear from anyone about this subject > and please > excuse the length of this letter but I will also be using this for > educational purposes. > _______________________________________________ > VNC-List mailing list > [email protected] > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
