Hello people,
I have installed REALVNC 3.3.7 on to a bunch of remote backup servers that have Windows 2000 server on them. I wanted to install UltraVNC but my boss showed that UltraVNC used more resources than RealVNC. Regardless it was password protected. This was 6 months ago.
I just realized that we were hacked for over about a month.
The hacker had renamed folders within the C:\programfiles directory to leave messages. For example, he renamed my Realvnc folder to " VNC AND BACKUPEXEC ARE VUNERABLE". Other folders were named "GET A SECURITY CLUE BEFORE YOU COMEONLINE YOU IDIOTS", "HACKER-SERVER KILLED", "--NOT-ME", "WSFTP--KILLED", "YOUVE BEEN ROOTED FOR A MONTH BY ATLEAST TWO HACKERS".
This was very embarrising. Trust me I am a young technical analyst. I am still learning more about network administration.
With every server I had stopped, then disabled VNCSERVER as a service. I deleted a local user account created by the hacker. I renamed all passwords. For now I felt alittle secure.
I was baffled when i learned that VNC was hackable. I finally researched it and saw that by using DOS attacks, RealVNC was prone to intrusions. Even the new 4.x version.
My question is this though.
1. Did he use the Dos attacks to get the VNC password?
2. Or was the attackes just used to just bus into the servers? 3. Did he even use Dos attacks at all?
4. How did he get in?
5. Is UltraVNC vulnerable as well?
Also can you guys give me any info on protecting myself.
Celebrating the 22th anniversary of the UltraVNC: https://forum.uvnc.com/viewtopic.php?t=38031
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Just got hacked help!!!!!!
All VNC versions have weak 8-chars max. passwords and the encryption used to store the password in the registry is also weak and the encryption key source/algo is public...
VNCs have a blacklist feature: an IP is blacklisted when is does too much connection attempts with wrong passwords in a short period of time. The IP are blacklisted long enought to prevent brute force attack on connection.
VNC's can be cracked using the "man in the middle" technique. It's the drawback of opensource: a WinVNC server can be "simulated" (TCP packets intercepted between a viewer and the server) to get the password entered by the viewer.
UltraVNC with its DSM encryption plugin is more secure:
- You must have the same plugin on both sides (and not necessarily a public plugin)
- You must have the encryption key on both sides
- All the communication data is strongly encrypted from the very first exchanged byte to the very last one.
- If you don't have the good plugin AND the good key, the connection does not even start, so the handshaking/authentication process doesn't start at all.
- Therefore, the man in the middle" attack becomes very hard to achieve..., same thing for a DOS attack (to my knowledge)
With any VNC distribution you can use SSH tunneling which has the same advantages than the DSM plugin with Ultra. But it's harder to configure.
In any case, ALWAYS use 8 chars long passwords with VNC !
VNCs have a blacklist feature: an IP is blacklisted when is does too much connection attempts with wrong passwords in a short period of time. The IP are blacklisted long enought to prevent brute force attack on connection.
VNC's can be cracked using the "man in the middle" technique. It's the drawback of opensource: a WinVNC server can be "simulated" (TCP packets intercepted between a viewer and the server) to get the password entered by the viewer.
UltraVNC with its DSM encryption plugin is more secure:
- You must have the same plugin on both sides (and not necessarily a public plugin)
- You must have the encryption key on both sides
- All the communication data is strongly encrypted from the very first exchanged byte to the very last one.
- If you don't have the good plugin AND the good key, the connection does not even start, so the handshaking/authentication process doesn't start at all.
- Therefore, the man in the middle" attack becomes very hard to achieve..., same thing for a DOS attack (to my knowledge)
With any VNC distribution you can use SSH tunneling which has the same advantages than the DSM plugin with Ultra. But it's harder to configure.
In any case, ALWAYS use 8 chars long passwords with VNC !
UltraSam
In addition to the weak passwords... you shouldnt make it easier by having the same VNC password on the DMZ computer as the same as any of your other computers on the network... They should be different. Get A Firewall, hardware or otherwise - Its always a good idea to block any unecessary ports or use ports outside of its normal range - that could be masking it as a different service. Most port scanners check to see if the port is only open and listening, not what kind of return you get and then telling you what service is running over that open port... that I know of yet.UltraSam wrote:All VNC versions have weak 8-chars max. passwords and the encryption used to store the password in the registry is also weak and the encryption key source/algo is public...
Your Rooters also talk about WSFTP... have you checked your FTP settings and ensured you dont have full control from the folder level on IIS?? all W2K and NT flavors had vulnerabilities that if you didnt know about it, by default it gives EVERYONE FULL CONTROL!!! thanks m$!... but they sure did make it easy for you to share your files... O yah never log into a FTP site with a local admin account either.. FTP sends username and PW clear text... lovely if you are listening..
This is how people can listen from home if you use VNC from home to work and see your packets going to your office... This could be a possible breach area.UltraSam wrote: VNC's can be cracked using the "man in the middle" technique. It's the drawback of opensource: a WinVNC server can be "simulated" (TCP packets intercepted between a viewer and the server) to get the password entered by the viewer.
The other nice thing about UltraVNC if you are using the encryption plugin... You can also use the MSlogon option.. which requires you to know someone's username pw on a domain or on the local box.. this enhances your security. Not to mention UltraVNC's access log on the server... obviously if your rooted, they will delete this if this is the method they cracked.UltraSam wrote: UltraVNC with its DSM encryption plugin is more secure:
- Therefore, the man in the middle" attack becomes very hard to achieve..., same thing for a DOS attack (to my knowledge)
1. You are assuming the breach was through VNC.. DOS would deny service. Unless your site went down I would say no DOS was most likely not used.Trunks4191 wrote: My question is this though.
1. Did he use the Dos attacks to get the VNC password?
2. Or was the attackes just used to just bus into the servers? 3. Did he even use Dos attacks at all?
4. How did he get in?
5. Is UltraVNC vulnerable as well?
2.not sure on the verbiage here...
3.Whats with the DOS or DDOS fixation?
4.Good question, you need a firewall to log attempts.. successfull and otherwise to know. It could be a plethera of things.
5.Pretty much anything is vulnerable.. where there is a will there is a way... But you can always make that will easier to break with road blocks..
I suggest if you dont want to be hacked - find a security consultant that can help you and give your situation the best once over... You can give him the business needs for VNC, FTP, and explain to him/her what you want/need. And let them help you along. Its very hard for anyone to give security advice because... well its always changing..
Good luck......