I was hacked by a VNC user!

Wed Feb 8 05:30:01 2006

The incident occurred a day after I was giving a lesson on using remote 
administrative software, including VPN's and other online services. I 
had installed Real VNC during one of my demos and was actually 
explaining security measures to take while port forwarding and 
configuring firewalls. I removed most of the other programs and but only 
closed the VNC server and did not unregister the service.

Earlier that day my wife restarted my computer while I was at work and 
of course the program was active and could be seen in the task bar. I 
was out late but when I came home and sat down in front of my desk and 
after my monitor turned on I could see my mouse cursor moving up and 
down the programs menu on its own.

The vnc icon in the task bar indicated an outside connection. I was able 
to click on a hotkey I have for activating my notepad and typed, "What 
are you doing Dave?". A second later I hit another hotkey that I have to 
deactivate my network connection (I use it to stop annoying updates 
while I'm working).  I quickly checked the event viewer to see how long 
he had been logged in. I feared the worst but was glad to discover I had 
reached my computer 45 seconds after he had logged in. I have the 
security logs turned on and it seems nothing was accessed. After 
checking all of the other typical things I believed I got off extremely 
easy given my carelessness.

However, I did find that there had been several attempts to access my 
computer in my event viewer. These started soon after I had activated 
the vnc service. I counted five so far and they all say the following 
with different IP addresess:

-Connection, accepted: 82.235.206.68::47248     The time was 10:35:33pm
The next log said:
-Connection, closed: 82.235.206.68::47248 (clean disconneciton)  The 
time for this was 10:35:33

I'm presuming that this is a log came from a feature of Real VNC and 
that the address is the computer trying to establish a connection or 
someone looking on 5900 ports.     

It would seem that this type of activity is happening all the time and 
all it takes is some mistakes on the behalf of the user and a computer 
can be vulnerable. I made several mistakes that also caused this to occur:
-My screensaver password protection was set to two hours (my wife found 
it annoying when it was set to 10 minutes and kept nagging me, you 
married guys know what I'm talking about). 
-I had a weak password for my VNC Server since I was just doing a demo 
and I was going to uninstall it right afterwards. I don't even remember 
what it was.

Although, I was clearly careless I don't believe these conditions are 
uncommon. With people from the US and abroad searching for vulnerable 
computers this can happen to anyone.
The person that got through was probably an armature since in 45 seconds 
an expert could completely compromise a system. The person was most 
likely too exited that he got through to do any real damage. 
Anway his IP address is 201.225.93.93::3246 or at least this is what the 
logs report. It's definitely not my address. I would also, for education 
purposes, would like to hear from anyone about this subject and please 
excuse the length of this letter but I will also be using this for 
educational purposes.