Hacking attempts - How do they do it??

[Streep]

I am being hacked, but it appears as if the attempts succeed partly: I can see the time out query window appear, which I set to accept connections by default after 3 seconds. When I try to connect to myself I don't see the query window, I just get an "authentication failed" or "wrong password" message, whichever is relevant. So how do the hackers do it?

I have a good password, and I'm using the DSM plugin with authentication with pre-shared key, so hacking my setup should be near impossible.

[Rudi De Vos]

Check mslogon.log to see if someone realy access your system. It contain access and access atemps (time/ip address)

Using a pre-shared key it's impossible. You have a 2 way security ( encryption key and vnc password). You need to have
both to gain access. Pre-defined keys never pass te internet, there is no DH key exchange.

No idea how hackers does it, did they hacked the system and used vnc after hacking to get graphical access or did they realy
used uvnc to gain access. Perhaps the hackers ip address tell more.

[Streep]

My last mslogon.log entries are:

Code: Select all

31/3/2014 12:03   Invalid attempt from client 5.79.78.230
31/3/2014 12:08   Invalid attempt from client 69.10.40.154
31/3/2014 12:53   Invalid attempt from client 5.79.78.230
31/3/2014 14:53   Invalid attempt from client 208.109.218.47
31/3/2014 14:57   Invalid attempt from client 5.79.78.230

The attempts are invalid, but the query window appears every time, which is what's puzzling.

[Rudi De Vos]

When I try to connect to myself ....
1)
CheckLoopBack()
FilterClients_Ask_Permission()
Loopbackmode don't Ask_Permission
Retest from another pc, not in loopback mode.
2)
Old viewer <minor7: ask permission then authenticate. --> show popups before authetication is done.
( this was bad implemented, not a security risk, but you don't need to bother the user when authentication failed)
the newer versions : authenticate then asking permission --> only show poppup after good augthentication

I hopes this clarify it

[Streep]

Thanks, I think that clarifies it. However, I am using the newest version (1.1.9.6) for both viewer and server. So are you talking about a still newer version?

[Rudi De Vos]

The server support old/new rfb protocol.
On connection viewer and server exchange version info and server.
You can connect a 1.00 viewer to a 1.9.x server, then the server switch in 1.0 mode.

[Streep]

I see, so the hackers use an older version. But the query window is really annoying because I am hacked every 10 minutes or so.
Can't the code for the old behaviour in the server be changed? Or, maybe more simply, can you put in an option to block connections with older versions?

[Rudi De Vos]

If you change some order it need to be done on the server and viewer site.
You can not change the server only and expect any old viewer or other vnc flavor to connect.

The only option would be to restrict connections to viewers with the same rfb protocol number.
I'm not so happy by adding another option, the current server and viewer have already so many options
that most people get confused and block connections with the settings they make. Perhaps if we can
remove some other first...

[Streep]

I agree, things should not get too complex so we should first remove something to make it more lean. In the meantime, it's a shame the popup window is actually unusable, because of the annoying hackers...