computer hacked through VNC

[tarun.khurana]

I was unaware that VNC connection is not secure without secure
tunneling, and was running on one of my machines for remote connection.
I realized that my computer was hacked into through VNC, and files like
"winserv.exe", "bw.exe" and some other exe files were transferred on my
machine (on my desktop). An IRC client was also installed on the
machine.
I also had zone alarm installed and running, but the hacker managed to
get in since VNC server was always running. I stopped VNC immediately
after i realized this and I haven't noticed any more suspicious
activity since then.
I am now running scans with Norton Antivirus and Spysweeper, but i'm
not sure if that's good enough. Could anyone recommend me as to what
could be done, besides reinstalling windows?

Thanks
Tarun

 

[Yves Leclerc]

Which version of VNC? Did VNC have a password? Look for UltraVNC
(www.ultraVNC.com.) This version seems to be more secure than RealVNC since
it has additional login validations (MS Logon.)

 

[Mark Ritchie]

Well, a root kit might have been installed.
F-Secure has a program called blacklight, you can download a trial of it and
do a scan

http://www.f-secure.com/home_user/complete_protection.html



--
Regards,

Mark Ritchie


**************************************
Computer Problems Dragging you Down?
Let us Fix it for you quickly and remotely!
http://www.livetechsupport.ca
(866)730-5403
**************************************

 

[Leythos]

I was unaware that VNC connection is not secure without secure
tunneling, and was running on one of my machines for remote connection.
I realized that my computer was hacked into through VNC, and files like
"winserv.exe", "bw.exe" and some other exe files were transferred on my
machine (on my desktop). An IRC client was also installed on the
machine.

I also had zone alarm installed and running, but the hacker managed to
get in since VNC server was always running. I stopped VNC immediately
after i realized this and I haven't noticed any more suspicious
activity since then.

I am now running scans with Norton Antivirus and Spysweeper, but i'm
not sure if that's good enough. Could anyone recommend me as to what
could be done, besides reinstalling windows?

No version of any remote control application will be secure if all it
takes is a password and the client to connect to it. Your experience
could be the result of a weak password, other unprotected services on
your computer, etc...

I've run VNC for ages, and don't use the default port for it, and have
never seen a connection attempt. In most cases we setup a VPN appliance
and then run VNC on the default port, but for remotely accessible we
always use a nonstandard port and we use Strong Passwords that are
changed once a month.

Now that your system is compromised you need to ensure that it's clean,
there are two methods to clean the system:

1) Connect to a secured network, not allowing inbound, then
wipe/reinstall - this method means that your machine will be 100% free
of malware as you complete the reinstall (provided the reinstall media
was clean).

2) Clean the machine in safe mode and manually editing the registry, and
then HOPE that you/apps got it all.

 

[Paul Greeff]

Nothing in any of these posts indicates a reason for wanting to reinstall.
What is the problem that remains?

I've discontinued my use of VNC as well. The trouble, I'm told, is that the
password is not encrypted. I've switched to Remote Administrator instead,
which does encrypt the password. Any comments from anyone?

PG