Hacker Attack on server PC (with RealVNC) | Forums

[RAAF_Furball]

Yes, some fart with not enough to do, logged onto our server remotely and was fiddling. The hacker should now be permanently locked out.

We were using a program called RealVNC to allow a few of us to logon remotely to perform admin on the server PC. Real VNC has some hacker issues http://helpdesk.usu.edu/content/secu...dates.php?id=2.

While the hacker was logged on, he/she opened a DOS prompt and started typing what may have been an IP address. During the natural panic to identify and disable his a**e, we didn't find out what he was actually doing.

Could anyone please hazard any guesses as to what the fart might have been up to?

[RAAF_Furball]

Yes, some fart with not enough to do, logged onto our server remotely and was fiddling. The hacker should now be permanently locked out.

We were using a program called RealVNC to allow a few of us to logon remotely to perform admin on the server PC. Real VNC has some hacker issues http://helpdesk.usu.edu/content/secu...dates.php?id=2.

While the hacker was logged on, he/she opened a DOS prompt and started typing what may have been an IP address. During the natural panic to identify and disable his a**e, we didn't find out what he was actually doing.

Could anyone please hazard any guesses as to what the fart might have been up to?

[cmirko]

check sys folders on all your drives, that means hidden folders like

MSOCache
System Volume Information
RECYCLER

also, run a full trojan, virus test from at least 2 manufacturers , try and identify any new services on your machine and scan for rootkits

i also had a problem with realvnc and remote server, hacker managed to put really clever trojan/rootkit which was hidden in sys volume (ntfs drive) and called home with any changes on user names/passwords, after that i got http://www.tightvnc.com/

which has some nice security wise features which you can use for full benefit

also, check if any of your built in acccounts are active....

[BBloke]

Some other things to consider:

Check guest account is still disabled.
Check if Remote Access has been enabled. - If using w2k3 or XP then Remote Access my have been activated as a future backdoor.

ALWAYS lock your terminal. Never leave a user (especially Administrator) signed in. ALWAYS use the top left button to drop down the menu and select Send CTRL-ALT & DEL to lock the session or log off from the start menu or as the webpage states:

<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">After all, your VNC instances are configured to automatically lock the screen after disconnect and allow only a single user to be connected, am I right? </div></BLOCKQUOTE>

Check the properties box for VNC under connections tab, IIRC.

Reading the website, VNC issue is authentication bypass but not an OS log on bypass. If a hacker can get into VNC then logging off or locking the session will put up another barrier to get past.. most will leave.

Passwords are great and can be difficult to remember depending on complexity. This will not cure the VNC issue, if its confirmed there is one but it will make brute force intrusions on your server difficult to perform. Consider using a website address, they tend to be easier to remember and have at least one special non-alpha character (.).

If you are running a third party firewall then it may be worth checking if any new programs have been granted access. You could always install ZoneAlarm's free version and see which programs are accessing the internet and track down any anomalies that may sneak past other scans.

[RAAF_Furball]

Thank you, guys - MOST appreciated !

to the power of the 'Net - people helping people !