I was hacked by a VNC user!
Jorge L. Vizcarralagos
jorge "at" icstech.org
Wed Feb 8 15:28:04 2006
Thanks for the info and the response. After doing some checking I
believe my password was set to the word "password". I'm convinced that
the people I was given the presentation did not do this simply because I
received the first attempt to log in to my VNC before the demo. I
installed it the morning before work (there was a log in my event viewer
even before the demo that afternoon). I know this doesn't exclude the
possibility of some I know doing it but if the IP address of the
incoming connections are correct it was coming from Paris, France from
an ADSL Internet provider. The one earlier that day (that failed) was
from a Road Runner Account in Herndon,Virgina. I know that brute-force
attacks with a strong password is unlikely but I find it a great example
of what can happen if these things are not taken seriously. The best
part about this incident is that I can prove to my clients that they are
not really wasting their money by taking extra security measures to
protect their network. Overall this incident will help my cause and
perhaps make me a little richer.
I will be sending some messages to my provider and the others I have
found and perhaps something will come of it. Thanks again.
James Weatherall wrote:
> Current VNC Server releases include measures to prevent brute-force attacks
> against servers. These prevent attackers from repeatedly attempting to
> connect to the server, trying to guess at the password, making it
> *extremely* unlikely that the "attacker" in this case tried connecting and
> managed to guess your weak password - it's much more likely that the person
> connecting actually knew what the password would be. Are you sure that they
> weren't simply one of the people that you had previously been demoing to?
> We don't advise use of VNC Free Edition across the Internet except via some
> sort of secure tunnelling protocol. VNC Enterprise & Personal Editions have
> in-built session security for this purpose. All current VNC Server releases
> also support querying the local user to accept connections, which is
> advisable if you are concerned that the password you are using is weak or
> widely known.
> If you still believe that this was some sort of malicious attack on your
> system then you may wish to contact your ISP to report the fact that their
> users are apparently being scanned for poorly-configured network services.
> Wez @ RealVNC Ltd.
>> -----Original Message-----
>> From: vnc-list-admin "at" realvnc.com
>> [mailto:vnc-list-admin "at" realvnc.com] On Behalf Of Jorge Vizcarralagos
>> Sent: 08 February 2006 05:29
>> To: vnc-list "at" realvnc.com
>> Subject: I was hacked by a VNC user!
>> The incident occurred a day after I was giving a lesson on
>> using remote
>> administrative software, including VPN's and other online services. I
>> had installed Real VNC during one of my demos and was actually
>> explaining security measures to take while port forwarding and
>> configuring firewalls. I removed most of the other programs
>> and but only
>> closed the VNC server and did not unregister the service.
>> Earlier that day my wife restarted my computer while I was at
>> work and
>> of course the program was active and could be seen in the task bar. I
>> was out late but when I came home and sat down in front of my
>> desk and
>> after my monitor turned on I could see my mouse cursor moving up and
>> down the programs menu on its own.
>> The vnc icon in the task bar indicated an outside connection.
>> I was able
>> to click on a hotkey I have for activating my notepad and
>> typed, "What
>> are you doing Dave?". A second later I hit another hotkey
>> that I have to
>> deactivate my network connection (I use it to stop annoying updates
>> while I'm working). I quickly checked the event viewer to
>> see how long
>> he had been logged in. I feared the worst but was glad to
>> discover I had
>> reached my computer 45 seconds after he had logged in. I have the
>> security logs turned on and it seems nothing was accessed. After
>> checking all of the other typical things I believed I got off
>> easy given my carelessness.
>> However, I did find that there had been several attempts to access my
>> computer in my event viewer. These started soon after I had activated
>> the vnc service. I counted five so far and they all say the following
>> with different IP addresess:
>> -Connection, accepted: 22.214.171.124::47248 The time was
>> The next log said:
>> -Connection, closed: 126.96.36.199::47248 (clean disconneciton) The
>> time for this was 10:35:33
>> I'm presuming that this is a log came from a feature of Real VNC and
>> that the address is the computer trying to establish a connection or
>> someone looking on 5900 ports.
>> It would seem that this type of activity is happening all the
>> time and
>> all it takes is some mistakes on the behalf of the user and a
>> can be vulnerable. I made several mistakes that also caused
>> this to occur:
>> -My screensaver password protection was set to two hours (my
>> wife found
>> it annoying when it was set to 10 minutes and kept nagging me, you
>> married guys know what I'm talking about).
>> -I had a weak password for my VNC Server since I was just
>> doing a demo
>> and I was going to uninstall it right afterwards. I don't
>> even remember
>> what it was.
>> Although, I was clearly careless I don't believe these conditions are
>> uncommon. With people from the US and abroad searching for vulnerable
>> computers this can happen to anyone.
>> The person that got through was probably an armature since in
>> 45 seconds
>> an expert could completely compromise a system. The person was most
>> likely too exited that he got through to do any real damage.
>> Anway his IP address is 188.8.131.52::3246 or at least this
>> is what the
>> logs report. It's definitely not my address. I would also,
>> for education
>> purposes, would like to hear from anyone about this subject
>> and please
>> excuse the length of this letter but I will also be using this for
>> educational purposes.
>> VNC-List mailing list
>> VNC-List "at" realvnc.com
>> To remove yourself from the list visit: