Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
 ·AT&T Yahoo
Host:
Chicago
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
| VNC...I got spanked
I setup VNC today to run so I could access my Email while out of town, and not 15 minutes afterwards I saw my mouse start moving and a dos window pop up.
I yanked my network cable, and then shut down my modem. This is what I found (i've added spaces to make sure it's not accidentally executed):
Found gefgl in my windows/system32....a nice file called a.exe, iaxcfg32.dll, and a run command in the registry linked to a.exe called MSMSGR....hell it even added itself to the list of allowed programs in windows firewall
Here's a link to a good breakdown, I saw the same kind of out put in etherreal that he saw
»endellion.me.uk/virus/htndhoohexe
my ethereal captures, shortly there after I renamed all the exe files, and deleted teh registry bits....
Guess I should be happy I noticed it before I left tomorrow and couldn't have done anything.
--
My Blog. Because I desperately need the acknowledgement of others.
Mainegirl and my Beer Review's
We had a baby! |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | 15 minutes has to be a record time.
Have you checked the cmd run history? |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY | reply to Dennis
This is why you run VNC over a VPN or SSH tunnel. |
|
Elite
join:2002-10-03
Orange, CT | reply to Dennis
Which VNC app were you running (RealVNC, UltraVNC, TightVNC) and which version of the given app?
--
AMD, because it's just better. |
|
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
·AT&T Yahoo
Host:
Chicago
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
1 edit | Real VNC 4.1...in service mode. In hindsight, using the default port was a mistake, but the whole "bypass the password" thing really caught me off guard. I mean less than 15 minutes....10 really. Took them milliseconds...I just happened to be in front of the computer thank god.
yes i checked the cmd history, that's how i got the syntax I did...plus, let's be honest you can't run VNC service mode in l2tp/vpn/ssh mode all the time. I really had only indended it to be active while I was connecting (wife turning it on and off). |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
4 edits | said by Dennis  :Real VNC 4.1...in service mode. In hindsight, using the default port was a mistake, but the whole "bypass the password" thing really caught me off guard. I mean less than 15 minutes....10 really. Took them milliseconds...I just happened to be in front of the computer thank god. If you are using RealVNC free edition make sure it is version 4.1.2. Some earlier versions did indeed have a security vulnerability which would allow access without using a password, even if one was configured. The RealVNC web site only says "A security vulnerability was discovered.", but that is a reference to the password bypass vulnerability. Just Google "RealVNC password vulnerability" for some details if you are interested.
EDIT: FWIW, when this vulnerability was first discovered last year even networking giants like Cisco were caught with their pants down.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Elite
join:2002-10-03
Orange, CT
 ·Optimum Online
| reply to Dennis
If by 4.1 you mean 4.1.0, then yeah I'm not really suprised.
Exploit code surfaced in May of 2006 that bypasses the password authentication in RealVNC 4.1.0 and 4.1.1. As stated above, you should be using 4.1.2 as the vulnerability has been fixed in this version.
--
AMD, because it's just better. |
|
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
·AT&T Yahoo
Host:
Chicago
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
| reply to NetFixer
said by NetFixer :If you are using RealVNC free edition make sure it is version 4.1.2. Some earlier versions did indeed have a security vulnerability which would allow access without using a password, even if one was configured. Well poop, no wonder. I was racking my brain how this happened to me so quickly (literally only about 10 minutes) but another machine I had setup a few months ago was fine. Since I usually only us this machine as a viewer, the realvnc version was only 4.1.0.
I'm now on 4.1.2, with a different default port, and some other precautions in place. Thanks for pointing out that bug, I had no idea.
I'm no security newbie, but it blows my mind how fast I got exploited.
--
My Blog. Because I desperately need the acknowledgement of others.
Mainegirl and my Beer Review's
We had a baby! |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
3 edits |  reply to Dennis
said by Dennis :...plus, let's be honest you can't run VNC service mode in l2tp/vpn/ssh mode all the time. I really had only indended it to be active while I was connecting (wife turning it on and off). Why not?
I always have a SSH server (or sometimes a VPN server for testing) running (currently on a Vista Ultimate desktop) protected by a private/public key pair and strong password for authentication versus a password only (strong or otherwise).
In my case I run Remote Desktop (RDP), versus VNC, through the SSH tunnel. One port open on my router to access multiple PCs with RDP or web surfing/email through the SSH tunnel...
»theillustratednetwork.mvps.org/S···ser.html
Here are some links in case your interested in setting up a SSH server. I recommend copSSH which is a nice Windows installer package for OpenSSH/OpenSSL/cygwin. Its updated as those are updated. I also use Tunnelier as my SSH client of choice.
»www.itefix.no/phpws/index.php?mo···on=22:22
»www.bitvise.com/tunnelier.html
»theillustratednetwork.mvps.org/S···sta.html
»theillustratednetwork.mvps.org/S···ier.html
--
"When all else fails, read the instructions..." |
|
Dennis
Premium,Mod
join:2001-01-26
Algonquin, IL
·AT&T Yahoo
Host:
Chicago
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
Home Repair & Impr..
| guess I was a little to quick to dismiss it honestly. for this exact moment though the time it would take to set that up for me would be a detriment. I just threw up vnc because i've worked with it and knew i could do a port forward in a few minutes.
Good point though, it's just that I don't often need to get into my main machine (not a big road warrior) and honestly if it wasn't for the massive amounts of spam I get I wouldn't even bother. But while i'm traveling, outlook express is just to hard to handle.
But my main point is, yes your right. It could be done. 
--
My Blog. Because I desperately need the acknowledgement of others.
Mainegirl and my Beer Review's
We had a baby! |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY | reply to Dennis
I just use Hamachi, simple + quick VPN. |
|
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs: | reply to Dennis
Another security measure you may want to look at is creating a user account with absolutely no access except to do the small amount of things you want to do (like only run Outlook or Thunderbird in this case) and log in as that before you leave. |
|
MagnusM
Premium
join:2001-07-07
| reply to Dennis
This is why you should always run services such as VNC or SSH on non-standard ports -- it will prevent 99% of all automated exploits from working.
(Of course, in this case the root cause seems to have been using an older version with known vulnerabilities, but the above principle still applies.)
--
Mischel Internet Security
http://www.misec.net |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| said by MagnusM :This is why you should always run services such as VNC or SSH on non-standard ports -- it will prevent 99% of all automated exploits from working. My advice is always connect to remote services over a properly configured VPN tunnel -- for example IPSec or SSH (public key auth with no password login). Then you don't need to worry about running on a non-standard port. |
|
MagnusM
Premium
join:2001-07-07
| said by bbarrera :My advice is always connect to remote services over a properly configured VPN tunnel -- for example IPSec or SSH (public key auth with no password login). Then you don't need to worry about running on a non-standard port. I'd still recommend running the SSH server on a non-standard port in case an SSH exploit shows up in the wild.
--
Mischel Internet Security
http://www.misec.net |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit | 
PuTTY configuration | 
IE configuration |
said by MagnusM :said by bbarrera :My advice is always connect to remote services over a properly configured VPN tunnel -- for example IPSec or SSH (public key auth with no password login). Then you don't need to worry about running on a non-standard port. I'd still recommend running the SSH server on a non-standard port in case an SSH exploit shows up in the wild. I usually run SSH on TCP Port 443. As I noted earlier I also use a private/public key pair protected by a strong password versus a password for authentication. Here are the copSSH, PuTTY and WinSCP versions of how to do that...
»theillustratednetwork.mvps.org/S···ver.html
»theillustratednetwork.mvps.org/S···air.html
...versus the Tunnelier version I posted earlier...
SSH is also nice since you can use the SOCKS proxy function to redirect your favorite browser (ie. IE or Firefox for example) and do anonymous web surfing. See the screen shots using PuTTY and IE as the examples. Note I use Port 8080 but you can pretty much use any high number port AFAIK...
Tunnelier has the same functionality...
»www.bitvise.com/tunnelier#port-forwarding
Examples for Firefox, IE and the Tunnelier client setup are here...
»www.bitvise.com/files/socks-firefox.gif
»www.bitvise.com/files/socks-ie.gif
»www.bitvise.com/files/socks-tunnelier.gif
Also, and I am sure you know this, you can redirect your email client through the SSH tunnel...
»Re: Any security when using public hotspot?
I do admit, however, that I have been having issues with this with Outlook 2007. I have not had time to really test it though...
--
"When all else fails, read the instructions..." |
|
tempnexus
Premium
join:1999-08-11
Boston, MA
1 edit | reply to Dennis
Well I just installed 4.1.1 on my VM and running it all ports blazing with full logging. Will see what I get and when.
edit:
DAMN 6 HOURS AND NADA!!!! |
|
Ryan
Premium
join:2001-03-03
Attleboro, MA
| reply to Dennis
Why bother running a ssh when you can use something like ultravnc that supports encryption? Are there any additional benefits? You sparked my interest about running ssh.. I can see using one if your going to be using remote desktop, but imho ultravnc does everything with a lot less work.. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
4 edits | reply to Dennis
quote:
Why bother running a ssh when you can use something like ultravnc that supports encryption? Are there any additional benefits? You sparked my interest about running ssh.. I can see using one if your going to be using remote desktop, but imho ultravnc does everything with a lot less work..
Some of the reasons I recommend SSH are...
* Because of strong authentication with a public/private key pair versus password only authentication.
* Remote Desktop access to multiple desktop PCs behind a firewall/router by only opening one hole on the firewall/router versus multiple holes. This also applies to VNC.
* Ability to securely access files without taking over a desktop just to do so, ie. use a SSH File Transfer Protocol (SFTP) client like WinSCP or Tunnelier.
* Anonymous web access is also a plus for some folks...
It all comes down to your personal risk threshold, ie. the authentication issue, and your usage. Obviously there is no single solution that fits every one. I just happen to be a big believer in SSH since its quite easy to setup for most home users, IMHO...
By the way Remote Desktop is natively encrypted...
--
"When all else fails, read the instructions..." |
|
tempnexus
Premium
join:1999-08-11
Boston, MA
| reply to Dennis
Ok I had mine Real VNC 4.1.1 on for 10 hours, with NO PASSWORD (authentification), Default ports and on the DMZ IP...no infection, no control take over...  It makes me sad . |
|
