Hi all, Thanks to Jason, Robin, Diogo and all others for the useful pointers.
Today I checked the VNC server where we experienced the issue ... it was still running 4.1.1 version! I have it updated on some machines to 4.1.2 ... apparently, I missed this one. I also checked the application logs on this machine. The IP address that the attack seemed to originate from had the first 2 octets same as the VNC server's IP address. Some people suggested that the IP address probably does not mean much since the attacker could have spoofed it. If we are on public network (not on VPN), does anyone think that the paid versions of VNC would be any more secure than the free one? I'll try to set it up over SSH. --Ritu Diogo <[EMAIL PROTECTED]> wrote: Hi everyone! Hi have the 4.1.1 version, and from i read, that is very possible to connect to a vnc server without knowing the server password! The exploit code is everywhere by searching google with "vnc exploit code"! But if this was my problem, does anyone knows how can a person modify my vnc server code? How can I find out that my code is really altered? So probably 4.1.2 solves this kind of security problem. Also Ritu, are you really sure that you have 4.1.2 instead of 4.1.1? Because I'm in hope that 4.1.2 will sove this issue! Another advice, I use VNC server at home, and have an app called htthost. This htthost redirects the incoming connections to the localhost (127.0.0.1). So when I use the vnc viewer i'm using another app called httport. httport redirects a local port to an external port! So in httport i just say that that is a httost (my home ip, with port 80 and a password) and then i defined that any connections to for example local port 5900 and localhost should be redirected to external port 5900 and also localhost. This allows me to connect vnc viewer to my vnc server always with ip 127.0.0.1 So I can change vnc server settings and only allowing connections from 127.0.0.1. This way I'm pretty sure that noone can connect to the server without passing trough htthost (which so far doesn't have any secure flaws)! Thank You, Diogo. Jason McClellan wrote: There are a number of measures you can take to mitigate the risk of running an internet-exposed VNC server.. 1. Make absolutely certain you are running the most current version. Older versions, even one x.x.1 older, are known to contain severe security flaws. 2. Ensure you have a strong password. 3. Run your VNC server on a non-standard high numbered port. Everyone knows to port-scan on 5800/5900 for open VNC servers. It takes very little time to scan thousands of systems. It is unlikely you will get port scanned if you run a VNC server on, for example, port 59234. Pick some port number you will remember and away you go. It is merely security through obscurity, but security nonetheless.. 4. Perform thorough system scans for spyware, malware etc. The fact that two of you have mentioned being somehow exploited while being connected with the viewer suggests some sort of non-interrupting injection exploit or some completely separate, non-VNC related issue that you just happened to see while using VNC, which seems unlikely. As you have mentioned, the default configuration allows only a single connection if I recall correctly (this is the case for UltraVNC) 5. If your topology allows, ie. Clients have known/fixed IP's, setup your VNC server to accept connections only from your own known client addresses. 6. Finally, and the best option, is not to expose VNC to the internet at all. Employ a tunneling solution such as SSH or a VPN to encapsulate VNC. Please keep the list posted on what happens with this issue! Good luck - and backup your stuff! Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diogo Sent: Tuesday, September 26, 2006 11:59 AM To: Ritu Sinha; Kumar, Siva; [email protected] Subject: RE: weird behavior Hello Ritu, I'm glad you talked about this issue! I have EXACTLY the same problem! I have to check my vnc version, i think it's previously to the 4.1.2. also it's the free edition. I also had kaspersky anti-virus and outpost firewall. Also, I have an app called htthost running in my machine and use vnc viewer to connect to the host, that it redirects to 127.0.0.1 The symptoms of the entering was: command prompt was opened by the "Start->Run->cmd" The user also was trying to execute the app msqrsm.exe directly in the command prompt, which doesn't exist in my machine, neither elsewere (i googled and couldn't find it!). So as he/she couldn't get the app, he tryied to get it through ftp!! The weird stuff, was that I had vnc viewer running, so he couldn't be entering by vnc app, because I think you can't have more than a user connecting to the server at the same time with the free edition. One time the user tryied my the same way "Start->Run->" execute a website to download a kind of vnc app!! So by this time I was pretty sure that wasn't the vnc app that he was using for accessing my machine! After this behavior, I upgraded Kaspersky anti-virus, and installed the ZoneAlarm Security Suite. I also changed my vnc password to a simple one, just for testing! By a few days none of this behavior of command prompt or something suspicious was found! But yesterday I really saw someone accessing my PC through VNC, he still had time to move the mouse, shut down an application, confirm by pressing the "Yes" button to really shut down this app, and then I shut down vnc server!! I'm gonna change the vnc server password to a more secure one, but I have no idea how to stop this!! also, it's not any kind of ad-ware, spyware, nor virus, or an unauthorized intrusion, so neither the firewall or the anti-virus will detect any suspiciously behavior!! Does anyone else had found this issue? Do you know how to solve it? Thank You, Ritu Sinha wrote: I know for sure that no one is physically typing those commands on the remote machine. There is a monitor connected and I have a couple of guys watching the screen as I walk them through a demo. The sneak activity is the same each time ... Start --> Run --> "cmd" --> Thanks, Ritu "Kumar, Siva" wrote: Does anyone have physical access to the XP box? In Windows the display shown by VNC is the same display shown on the monitor. So if a monitor is connected to the box, all your actions can be seen and the kbd/mouse attached to the box can be used for input. -siva -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ritu Sinha Sent: Tuesday, September 26, 2006 10:03 AM To: [email protected] Subject: weird behavior I have VNC server 4.1.2 installed on a remote machine running XP. I have used it for a few months and it has worked great. But recently, whenever I connect to this machine using the VNC Client, after sometime, it seems like someone else sneaks in and starts running the command prompt. I have to kill the VNC server to stop any damages. One time, I stayed on long enough to see that an "ftp" command was getting typed on the command prompt. I have set up the server with password authentication. Has anyone else seen this behavior? Any help or pointers will be greatly appreciated. --Ritu --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1"/min. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list Confidentiality Notice This e-mail (including any attachments) is intended only for the recipients named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not a named recipient, please notify the sender of that fact and delete the e-mail from your system. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1"/min. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list --------------------------------- Want to be your own boss? Learn how on Yahoo! Small Business. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1"/min. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list --------------------------------- Want to be your own boss? Learn how on Yahoo! Small Business. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
