help about "reading version failed: not an RFB server?"

Alex Pelts alexp "at" broadcom.com
Fri Nov 3 19:28:00 2006 

I am not sure on that as he noted that his system is XP, although I 
could miss something.

Regards,
Alex


Mick wrote:
> This appears to be Linux trojan: 
> 
> http://www.symantec.com/security_response/writeup.jsp?docid=2005-032316-4307-99&tabid=1
> 
> Given the types of directorates it creates you must have been running X or 
> other applications as a root and you allowed it to install, or run some 
> unchecked binary.  If this were my system I would *definitely* reinstall, 
> after using shred on the partitions.
> 
> Good luck.
> 
> On Friday 03 November 2006 18:35, Alex Pelts wrote:
>> This is possibly some spyware or trojan which hides its process from
>> process manager. You can try to use tools from sysinternals.com to
>> discover this process. Also run updated anti-virus software to check if
>> there is any virus.
>> When you run anti-virus disable windows restore because if the file is
>> in one of the windows directories it will be restored right back. You
>> should have your hand full with this one. Don't let is slide though
>> because it may be some key logger of some zombie software.
>>
>>
>> Alex
>>
>> danidani wrote:
>>> PID is 1576 but it doesn't correspond to any PID that is listed in the
>>> Task Manager
>>>
>>> quite strange isn't it?!
>>>
>>>
>>>
>>>
>>> On 11/3/06, *Alex Pelts* < alexp "at" broadcom.com
>>> <mailto:alexp "at" broadcom.com>> wrote:
>>>
>>>     Under win xp you can run "netstat -a -o". That will give you pid of
>>>     process which owns each connection. From there you can run task
>>> manager and find out who opened that connection. On unix there is a
>>> similar facility although switches are different and you need to be root
>>> to do it.
>>>
>>>     Regards,
>>>     Alex
>>>
>>>     danidani wrote:
>>>      > GREAT, it works with this trick!!
>>>      >
>>>      > Now the question is... which program is using port 5900??!
>>>      >
>>>      >
>>>      >
>>>      >
>>>      > On 11/3/06, John Aldrich < john "at" chattanooga.net
>>>
>>>     <mailto:john "at" chattanooga.net>> wrote:
>>>      >> On Friday 03 November 2006 10:50, danidani wrote:
>>>      >>> Doing telnet ipaddress 5900 I obtain:
>>>      >>> : Welcome!psyBNC "at" lam3rz.de <mailto:Welcome!psyBNC "at" lam3rz.de>
>>>
>>>     NOTICE * :psyBNC2.3.1
>>>
>>>      >>> running telnet ipaddress 5907 I get
>>>      >>>
>>>      >>> RFB 003.008
>>>      >>>
>>>      >>> and that is correct because I changed the port on the vnc server
>>>      >>>
>>>      >>>
>>>      >>> Anyway I don't get access yet.
>>>      >>
>>>      >> Try adding :7 to the name or IP address of the PC you're
>>>
>>>     attempting to
>>>
>>>      >> connect
>>>      >> to from remote. Or you can put ::5907 after the name/ip address
>>>
>>>     of the PC.
>>>
>>>      >>         John
>>>      >> _______________________________________________
>>>      >> VNC-List mailing list
>>>      >> VNC-List "at" realvnc.com <mailto:VNC-List "at" realvnc.com>
>>>      >> To remove yourself from the list visit:
>>>      >> http://www.realvnc.com/mailman/listinfo/vnc-list
>>>
>>> --
>>> skype: danieleda
>>> msn: scriviadani "at" gmail.com <mailto:scriviadani "at" gmail.com>
>> _______________________________________________
>> VNC-List mailing list
>> VNC-List "at" realvnc.com
>> To remove yourself from the list visit:
>> http://www.realvnc.com/mailman/listinfo/vnc-list