Ok guys,

My friend is freaked out. This morning he woke up and he saw his mouse moving. and he was like wtf so watched and waited. The mouse minimized ventrilo, opened up firefox and went to www.whatmyip.com and highlighted his IP...at this point he looked down and saw the VNC button black(which means someones connected) he hit CNTRL ALT DEL at this point and the mouse shot up to the top of the screen and VNC went white(nobody connected anymore)

What we dont understand is....the VNC settings are that nobody can move the mouse/keyboard. We dont get how whoever it is, was moving the mouse.
He just sent me a screenshot of the config he has. His Anti-Virus was off, his firewall was off. This is very wierd and both him and me are scared because we dont know how long this has been going on. He has CC info's and his employers private DB server info on his computer. He just ran a spybot and hes running virus-scan right now.

Hes using AVG and sygate personal firewall. We dont know how this guy is doing this. It has to stop right away. He is behind a linksys wireless router. I dont know how this guy got past the router and sygate firewall as that thing is very good and shows any in.out traffic what IP it is before it lets the packets past it.

EDIT: here is the screenshot of VNC:
http://img366.imageshack.us/img366/3794/regchada0.jpg


As you can see nobody can do anything but view over VNC. He changed VNC password too as neither of us can connect through it.

What neither of us understand is....why would be going to whatismyip.com ? He must have his IP to connect to him in the first place? We dont get it..

I read an article about something like this that happened to a disabled guy near here, he would see his computer working away by itself at night, eventually he got huge bills for stuff he didnt buy, had to sell his wheelchair friendly van to pay off his debts.

Firstly, I would shut off the computer at night, right at the off switch on the PSU, even when it is not in use untill you have a solution.

If he highlighted the IP he was probably copying it and going to paste it somewhere. If logging was enabled in the router you could go back and take a look at it.

Can't you shut off the VNC whenever it's not being used? I too don't understand how the person could be possibly doing that without knowing your IP. I guess he could try talking to his ISP and getting a new IP, don't know how much that would help though.

From what I understand, if someone is skilled enough, there's really nothing that can stop them.

Well it looks like he has decided to reformat to remove any possibilities it was a keylog/botnet or something along those lines.

NOTHING is 100% safe (save for unplugging the computer and never turning it on).

My ip isn’t that hard to get i mean all they have to do is trace rout my shout cast ip and they’ll get the AutoDJ which is next to me. I just don’t get why he would be on whatismyip.com when he’s connected and how long he was connected for, frankly i'm just freaking out right now about my accounts and specially paypal :/

From the looks of it he is using RealVNC, make sure he is using Version 4.1.2 or later, earlier versions had an authentication bypass which allows a person to skip the password prompt.

Story: http://www.incidents.org/diary.php?storyid=1336

employers private DB server info on his computer.


Does his employer know this

someone shouls NEVER EVER EVER have this data on their PERSONAL COMPUTERS!!! EVER


format his comp start from scratch, you cant trust doing anything else if someone got in cause who knows what backdoors they got that will just keep running.

Does his employer know this

someone shouls NEVER EVER EVER have this data on their PERSONAL COMPUTERS!!! EVER


format his comp start from scratch, you cant trust doing anything else if someone got in cause who knows what backdoors they got that will just keep running.

no if he gouse through my emails hill see the site with my username and yada yada. i called him and told him to change my password and told him the story and he said that not to worry there gonna delete my account till monday when i go to work. as far as the databases there fo clients and there being made so there is no real info there. im formatting right now. 31% :) now atleast i feel better and safer

From the looks of it he is using RealVNC, make sure he is using Version 4.1.2 or later, earlier versions had an authentication bypass which allows a person to skip the password prompt.

Story: http://www.incidents.org/diary.php?storyid=1336

He's using 4.1.8

He's using 4.1.8

According to www.realvnc.com the newest version is only 4.1.2. Where do you see 4.1.8?

Add remove programs list. Oh Just looking at it. The personal edition is only 4.1.2
Your right. Both me and eatmyshorts bought the enterprise edition as we knew it would be helpful for administration of our small company we are running. The enterprise edition is higher i guess?

If he was new i'd call BS...but he's a long time member so I guess this would have the be one of the stranger incidences I have ever heard of.

.....He is behind a linksys wireless router. I dont know how this guy got past the router ......
We dont get it..

That is probably your first clue there, I would never trust a business
computer connected to a wireless setup, If incorrectly configured, then
you do have problems and that guy is probably sitting right outside..

Wardrivers are a HUGE PITA!.

That is probably your first clue there, I would never trust a business
computer connected to a wireless setup, If incorrectly configured, then
you do have problems and that guy is probably sitting right outside..

Wardrivers are a HUGE PITA!.

neither would i. its not a business computer, its just my emails, when a website is don everyone gets a email about what parts thieve don and how much there getting paid. anyways i called them and told them to delete my account. my paypal password is changed same with my email. as well as linksys routers. computer is formatted and VNC service is turned off. what freaks me out thou i don't know what this guys did, and for how long. he could have don anything for x amount of time for x amount of days with out me knowing it. and just to clarify, when i turned my monitor on i grabbed my mouse but i saw it move and move up wards and center in the middle, and i thought it was ps2cho connecting to my comp. so i said what the hell ill just wait till hes don, then he minimized Ventrilo and then clicked on firefox and went to whatismyip.com, and it was then i said to myself what the hell, he cant move the mouse or any inputs, we only use it to view :(. that's when i clicked on ctrl+alt+del and Bam vnc turned from black to white. anyways im going to be very cautious on all my accounts for the next couple weeks. its just messed up and frustrating :mad:

you should be looking around to see if anyone is parked nearby, my view is that wireless routers are just not secure. they may not have VNC access any longer, but they might, *might* have some further access to the computer. :(

What type of security does he have on his WAP? My guess is that someone noticed an open WAP and connected to it then after getting a IP address they ran a nmap scan on the network to see whats out there…. Once his box came back listening on ports 5800 or 5900 connect with VNC and try and figure out the password if authentication is even enabled. This would explain going to www.whatmyip.com …on your computer… this site will show him the external address ( the address assigned to the WAN interface on your router)

"If the mouse ever moves on its own...turn it off!" - Tom Liston of IntelGuardians.

Your box was whacked. Probably using metasploit and the reverse-VNC injection payload, maybe exploiting MS06-040. Some script kiddie somewhere.

"If the mouse ever moves on its own...turn it off!" - Tom Liston of IntelGuardians.

Your box was whacked. Probably using metasploit and the reverse-VNC injection payload, maybe exploiting MS06-040. Some script kiddie somewhere.



Agreed.



It is good that he is formatting it. You probably should have spent more time looking over the pc to do some forensics. Be sure to go through the logs and review them thoroughly. Save the logs somehow to a machine off the LAN or onto a CD. Walking back the cat is always hard to do, because it takes so much time.

I would suggest setting up a honeypot pc with VNC and XP and similar OS build to try and snare the sucker:bday: . Gather as much info about him durring this time and store it safely on a pc not connected to the lan. Keep it safe for future prosecution if needed.

Are tarpits outlawed?>

That'll fix'em

not the last time I looked.... ( over a year ago :D )

I think labreas site is still down
but you could find it probably still...............

http://www.hackbusters.net/LaBrea/

The states you cannot use it in...

AK
CO
FL
GA
IL
MI
NY
OR
PA
SC
TN
TX
VA

Isn't it great how the DMCA and state-authored Super DMCA laws have pwnt legitimate research?

this is why i like log me in...

not only do you need the windows account info to get onto ANY computer (without it your buggered)
you also need the log me in account details...

just has that extra level of security... not to mention you dont need open ports for it to work..

it sounds like ether pc anywhere or lan teacher, its what the schools use and it acts like what ur talking about, but this is my 2 cents