Winvnc Abuse

Hello my name is jeff, I work for a non-profit organization in Hawaii. we recently installed a RAS server, and it worked fine for a couple of weeks, now it no longer works cannot even access the internet and cannot use the programs on the server, When I did a shut down to safe mode, and reboot, I saw WINVNC pop up with contol of mouse pointer and keyboard clicked, I unclicked them and got a warning message that connections would not be accepted, this is the Problem, this program was never installed by me or anyone else in our organization, Some hacker has basically hi-jacked our ras server, I have disconnected the modem and ether net cable so it is no longer accessible (I think), what I would really appreciate is if you can give me any ideas for combatting this situation. I plan to fdisk, reformat, reinstall, add most recent anti-virus and firewall. Will the Fdisk and reinstall help me remove the program from our RAS server? Also we have a dynamic IP address -- so I think that will help us also. Please if there is any information, or suggestions you could provide we (at our organization would deeply appreciate it.

Thanks - JC

 

I dont know what RAS server is but What OS are you using? Linux? You can use FDisk to delete parition. I use win xp cd to delete partition and to format. Deleting partition and formating will remove your program from RAS server but you will probably need RAS server address (maybe password if you remember) to reconnect or set up, maybe install application again if theres one. Or simple just plug RAS server to your pc. If you want firewall, I recommend Linksys hardware firewall router for cable or DSL modem, it can connect to 4 pc and 4 pc can get on internet at the same time. It block incomings, here link
www.linksys.com/products/product.asp?grid=34&scid=29&prid=433
It really easy to set it up, just plug CAT wire from cable or DSL modem to router then other CAT wire from router to pcs.

 

WINVNC Abuse (reply)

thanks for the quick response -- RAS = Remote Access Server, it is set up for VPN = VPN Virtual Private Network -- so homeusers (people who work at home and people who live in the United States (Lower 48) (I am in Hawaii) can access our server. I am Using Windows 2000 Server - Good point about the server address -- but our DSL Modem has a dynamic IP address -- so I think an IPconfig /Release -- then /Renew will change our ip address. We are also using DHCP on the server -- so the ip address will change. Yes I will use the 2000 Disk to partition and format using NTFS. Thanks again for the speedy response.

Jc

 

i believe WINVNC is built into win2k to allow remote deskto paccess to a machien...

 

Winvnc is NOT part of the Windows 2000 server OS. What is part of it is called Terminal Server. This runs on port 3389. An fdisk and format will wipe out the trojan on your sytem.
I recommend (www.my-etrust.com) E-trust AV from CAI for your antivirus. It works on win2k server as I am using it right now. As Johner said, the linksys is an inexpensive solution to your firewall problem.

 

Out of curiosity, what kind of Trojan requires an FDISK to fix? Or are you just being extra cautious (because, hey, it is a server)?

And does anyone have an idea how this was done? Is there some buffer overflow issue with RRAS? Did he have a guest account enabled? Was he missing an update/serivce pack? I don't quite see how he could get through Active Directory (IIRC, required for RRAS) authorization... but then I'm not hacker.

Maybe it's something solved in SP4.

 

having a trojan does't require an FDISK to fix. you can use a trojan remover.. but I would always have that "not so fresh" feeling if my box was hit with one..

 

1.) cracker, not hacker.

http://www.catb.org/~esr/jargon/html/entry/cracker.html
http://www.catb.org/~esr/jargon/html/entry/hacker.html
http://www.catb.org/~esr/jargon/html/entry/script-kiddies.html

2.) Backup, reinstall, if you aren't running VNC and you see that, you're trojaned.

3.) Run snort with strict rules to analyze packet data, maybe even learn how to analyze packets and analyze packet dumps, a dynamic IP doesn't help if you have a trojan/worm (maybe even a trojan worm (yes they exist)) calling back to the crackers/script kiddie's box. But if you fdisk it should all be good (make sure to re-install the MBR also, you never know)

4.)Definatly run a firewall (anything from Norton *shudders* to pf)

 

WIN VNC ABUSE

THanks everyone for your replies. I think I got hacked because I didn't have a firewall. Also I was in a hurry to get the RRAS server working. I did have all the latest upgrades and an anti-virus. Lesson learned: Neva Eva compromise security in the name of expediency. I did the Fdisk and reinstall for the same reason as mentioned above. Once you been hacked you want to feel secure again, you gotta start from scratch. I am looking into packets sniffers, and Sonic Wall. Thanks again for the feedback

 

Yeah, security is good, and it's cracked

 

don't be so bloody technical .. it's commonly referred to as being hacked so let it be.. who gives a crap about the semantics of it except coders and hats...

 

except coders and hats

Not neccesarily, I'm like one of those politicaly correct people, except about this,

 

WIN VNC Abuse

CraCKED hACKED -- it all stinks

but thanks again for your input

 

Re: WIN VNC Abuse

Computers don't do what you want them to do -- they do what you TELL them to do

 

Considering that hacking as the hackers see it is the gaining of knowlege of how a system works so they can gain access to a system secretly where as crackers want to break in.. what's the difference in that? none.. hackers = crackers in that sense.

Thing is, a true cracker is someone who breaks computer code and modifies it to work they want it. The whole establishment wants to change something that has been around for decades because one doesn't like the other.. oh well.. you say tomAto I say tomato.

 

Seeing as he has no idea what the intruder did on his system, he has no idea at all about the color his hat. He could just have easily stolen information. And the admin has no way of knowing what was compromised. The user was able to install a new system service, which means he probably had administrative access, too.

Truth is, someone gained unauthorized access to his machine (a server and therefore the whole network), and then left behind a mechanism to regain entry. If I don't care about anything but gaining entry, why would I leave behind a secret door to get back in? It really doesn't matter if his intent was malicious or not, because the effects are. This admin now as to wipe his server and reinstall it.

"I'm an ethical hacker, because I don't steal anything." Whatever.Try going around and committing armed robberies and then not stealing anything. See if that gets you sympathy from anyone.

 

I like you already

 

I second that , he's right, the difference between gray's, blacks, and crackers is just the amount of malice (and stupidity).