On Wed Sep 27, 2006 at 02:29:10AM -0700, Diogo wrote:
> Hi everyone!
>
> Hi have the 4.1.1 version, and from i read, that is very possible to
> connect to a vnc server without knowing the server password! The
> exploit code is everywhere by searching google with "vnc exploit
> code"! But if this was my problem, does anyone knows how can a person
> modify my vnc server code? How can I find out that my code is really
> altered?
>
The server code doesn't need altering at all - a modified client is
what's needed (it basically just requests a null authentication method
and the 4.1.1 server accepts this).
> So probably 4.1.2 solves this kind of security problem.
>
If your problem _is_ connections over VNC, then 4.1.2 will fix this. Of
course, as mentioned by others, it's probably too late for your system -
any applications could have been installed while it was accessed.
> Another advice, I use VNC server at home, and have an app called
> htthost. This htthost redirects the incoming connections to the
> localhost (127.0.0.1). So when I use the vnc viewer i'm using another
> app called httport. httport redirects a local port to an external
> port!
>
> So in httport i just say that that is a httost (my home ip, with port
> 80 and a password) and then i defined that any connections to for
> example local port 5900 and localhost should be redirected to external
> port 5900 and also localhost.
>
> This allows me to connect vnc viewer to my vnc server always with ip
> 127.0.0.1
>
> So I can change vnc server settings and only allowing connections from
> 127.0.0.1. This way I'm pretty sure that noone can connect to the
> server without passing trough htthost (which so far doesn't have any
> secure flaws)!
>
Yes, this'll provide both an extra level of authentication and also
encryption on the data stream, preventing any snooping on the VNC
traffic.
Cheers,
Robin
--
___
( ' } | Robin Hill <[EMAIL PROTECTED]> |
/ / ) | Little Jim says .... |
// !! | "He fallen in de water !!" |
[demime 1.01d removed an attachment of type application/pgp-signature]
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
