There are a number of measures you can take to mitigate the risk of running an internet-exposed VNC server..
1. Make absolutely certain you are running the most current version. Older versions, even one x.x.1 older, are known to contain severe security flaws. 2. Ensure you have a strong password. 3. Run your VNC server on a non-standard high numbered port. Everyone knows to port-scan on 5800/5900 for open VNC servers. It takes very little time to scan thousands of systems. It is unlikely you will get port scanned if you run a VNC server on, for example, port 59234. Pick some port number you will remember and away you go. It is merely security through obscurity, but security nonetheless.. 4. Perform thorough system scans for spyware, malware etc. The fact that two of you have mentioned being somehow exploited while being connected with the viewer suggests some sort of non-interrupting injection exploit or some completely separate, non-VNC related issue that you just happened to see while using VNC, which seems unlikely. As you have mentioned, the default configuration allows only a single connection if I recall correctly (this is the case for UltraVNC) 5. If your topology allows, ie. Clients have known/fixed IP's, setup your VNC server to accept connections only from your own known client addresses. 6. Finally, and the best option, is not to expose VNC to the internet at all. Employ a tunneling solution such as SSH or a VPN to encapsulate VNC. Please keep the list posted on what happens with this issue! Good luck - and backup your stuff! Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diogo Sent: Tuesday, September 26, 2006 11:59 AM To: Ritu Sinha; Kumar, Siva; [email protected] Subject: RE: weird behavior Hello Ritu, I'm glad you talked about this issue! I have EXACTLY the same problem! I have to check my vnc version, i think it's previously to the 4.1.2. also it's the free edition. I also had kaspersky anti-virus and outpost firewall. Also, I have an app called htthost running in my machine and use vnc viewer to connect to the host, that it redirects to 127.0.0.1 The symptoms of the entering was: command prompt was opened by the "Start->Run->cmd" The user also was trying to execute the app msqrsm.exe directly in the command prompt, which doesn't exist in my machine, neither elsewere (i googled and couldn't find it!). So as he/she couldn't get the app, he tryied to get it through ftp!! The weird stuff, was that I had vnc viewer running, so he couldn't be entering by vnc app, because I think you can't have more than a user connecting to the server at the same time with the free edition. One time the user tryied my the same way "Start->Run->" execute a website to download a kind of vnc app!! So by this time I was pretty sure that wasn't the vnc app that he was using for accessing my machine! After this behavior, I upgraded Kaspersky anti-virus, and installed the ZoneAlarm Security Suite. I also changed my vnc password to a simple one, just for testing! By a few days none of this behavior of command prompt or something suspicious was found! But yesterday I really saw someone accessing my PC through VNC, he still had time to move the mouse, shut down an application, confirm by pressing the "Yes" button to really shut down this app, and then I shut down vnc server!! I'm gonna change the vnc server password to a more secure one, but I have no idea how to stop this!! also, it's not any kind of ad-ware, spyware, nor virus, or an unauthorized intrusion, so neither the firewall or the anti-virus will detect any suspiciously behavior!! Does anyone else had found this issue? Do you know how to solve it? Thank You, Ritu Sinha <[EMAIL PROTECTED]> wrote: I know for sure that no one is physically typing those commands on the remote machine. There is a monitor connected and I have a couple of guys watching the screen as I walk them through a demo. The sneak activity is the same each time ... Start --> Run --> "cmd" --> Thanks, Ritu "Kumar, Siva" wrote: Does anyone have physical access to the XP box? In Windows the display shown by VNC is the same display shown on the monitor. So if a monitor is connected to the box, all your actions can be seen and the kbd/mouse attached to the box can be used for input. -siva -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ritu Sinha Sent: Tuesday, September 26, 2006 10:03 AM To: [email protected] Subject: weird behavior I have VNC server 4.1.2 installed on a remote machine running XP. I have used it for a few months and it has worked great. But recently, whenever I connect to this machine using the VNC Client, after sometime, it seems like someone else sneaks in and starts running the command prompt. I have to kill the VNC server to stop any damages. One time, I stayed on long enough to see that an "ftp" command was getting typed on the command prompt. I have set up the server with password authentication. Has anyone else seen this behavior? Any help or pointers will be greatly appreciated. --Ritu --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1"/min. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list Confidentiality Notice This e-mail (including any attachments) is intended only for the recipients named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not a named recipient, please notify the sender of that fact and delete the e-mail from your system. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1"/min. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list --------------------------------- Want to be your own boss? Learn how on Yahoo! Small Business. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
