Thanks for the info and the response. After doing some checking I
believe my password was set to the word "password". I'm convinced that
the people I was given the presentation did not do this simply because I
received the first attempt to log in to my VNC before the demo. I
installed it the morning before work (there was a log in my event viewer
even before the demo that afternoon). I know this doesn't exclude the
possibility of some I know doing it but if the IP address of the
incoming connections are correct it was coming from Paris, France from
an ADSL Internet provider. The one earlier that day (that failed) was
from a Road Runner Account in Herndon,Virgina. I know that brute-force
attacks with a strong password is unlikely but I find it a great example
of what can happen if these things are not taken seriously. The best
part about this incident is that I can prove to my clients that they are
not really wasting their money by taking extra security measures to
protect their network. Overall this incident will help my cause and
perhaps make me a little richer.
I will be sending some messages to my provider and the others I have
found and perhaps something will come of it. Thanks again.
James Weatherall wrote:
Jorge,
Current VNC Server releases include measures to prevent brute-force attacks
against servers. These prevent attackers from repeatedly attempting to
connect to the server, trying to guess at the password, making it
*extremely* unlikely that the "attacker" in this case tried connecting and
managed to guess your weak password - it's much more likely that the person
connecting actually knew what the password would be. Are you sure that they
weren't simply one of the people that you had previously been demoing to?
We don't advise use of VNC Free Edition across the Internet except via some
sort of secure tunnelling protocol. VNC Enterprise & Personal Editions have
in-built session security for this purpose. All current VNC Server releases
also support querying the local user to accept connections, which is
advisable if you are concerned that the password you are using is weak or
widely known.
If you still believe that this was some sort of malicious attack on your
system then you may wish to contact your ISP to report the fact that their
users are apparently being scanned for poorly-configured network services.
Cheers,
Wez @ RealVNC Ltd.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge Vizcarralagos
Sent: 08 February 2006 05:29
To: [email protected]
Subject: I was hacked by a VNC user!
The incident occurred a day after I was giving a lesson on
using remote
administrative software, including VPN's and other online services. I
had installed Real VNC during one of my demos and was actually
explaining security measures to take while port forwarding and
configuring firewalls. I removed most of the other programs
and but only
closed the VNC server and did not unregister the service.
Earlier that day my wife restarted my computer while I was at
work and
of course the program was active and could be seen in the task bar. I
was out late but when I came home and sat down in front of my
desk and
after my monitor turned on I could see my mouse cursor moving up and
down the programs menu on its own.
The vnc icon in the task bar indicated an outside connection.
I was able
to click on a hotkey I have for activating my notepad and
typed, "What
are you doing Dave?". A second later I hit another hotkey
that I have to
deactivate my network connection (I use it to stop annoying updates
while I'm working). I quickly checked the event viewer to
see how long
he had been logged in. I feared the worst but was glad to
discover I had
reached my computer 45 seconds after he had logged in. I have the
security logs turned on and it seems nothing was accessed. After
checking all of the other typical things I believed I got off
extremely
easy given my carelessness.
However, I did find that there had been several attempts to access my
computer in my event viewer. These started soon after I had activated
the vnc service. I counted five so far and they all say the following
with different IP addresess:
-Connection, accepted: 82.235.206.68::47248 The time was
10:35:33pm
The next log said:
-Connection, closed: 82.235.206.68::47248 (clean disconneciton) The
time for this was 10:35:33
I'm presuming that this is a log came from a feature of Real VNC and
that the address is the computer trying to establish a connection or
someone looking on 5900 ports.
It would seem that this type of activity is happening all the
time and
all it takes is some mistakes on the behalf of the user and a
computer
can be vulnerable. I made several mistakes that also caused
this to occur:
-My screensaver password protection was set to two hours (my
wife found
it annoying when it was set to 10 minutes and kept nagging me, you
married guys know what I'm talking about).
-I had a weak password for my VNC Server since I was just
doing a demo
and I was going to uninstall it right afterwards. I don't
even remember
what it was.
Although, I was clearly careless I don't believe these conditions are
uncommon. With people from the US and abroad searching for vulnerable
computers this can happen to anyone.
The person that got through was probably an armature since in
45 seconds
an expert could completely compromise a system. The person was most
likely too exited that he got through to do any real damage.
Anway his IP address is 201.225.93.93::3246 or at least this
is what the
logs report. It's definitely not my address. I would also,
for education
purposes, would like to hear from anyone about this subject
and please
excuse the length of this letter but I will also be using this for
educational purposes.
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
