Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Hacking activity? Can I get a log of incoming connections?

Post Reply
jonnyz0109
8
8
Posts: 11
Joined: 2004-07-12 15:52
Location: Connecticut, USA
Contact:
Contact jonnyz0109

Hacking activity? Can I get a log of incoming connections?

Post by jonnyz0109 »

I work in a K-12 district, and for management/Help Desk purposes, we have Ultra VNC deployed on every PC in the district. Yesterday one of our secretaries claimed the computer started "typing on its own" and sent us the document. We have a small department, and there is no one, to our knowledge, that has our administrative password other than those within our own department.

My first question: has anyone seen anything like this? It seems to me like it's some automated cracking tool, and once it broke through, it just started typing randomly? (Note: the secretary was in the middle of typing her own document)
to ten AM to ten F. F. home video has been a time and have an FFAI Allen and MIA and let them connect handing it, and we’re in a landmark along our anyone know what I read where and when the county eliminate time and having SFAAL and MIN Internet and we’re in a landmark along the time when a night in word now in their own now running the way you can on the on line in the late
My second question: is there any way for me to figure out where connections were received from? The option for diagnostic logging is disabled. Are TCP connections logged somewhere? If someone did indeed break through and VNC to her computer, we've got to change passwords on a LOT of computers... I need to make sure of this before I spend a week doing that.

Thanks in advance for any suggestions you can provide!
Top
UltraSam
Admin & Developer
Admin & Developer
Posts: 462
Joined: 2004-04-26 20:55
Contact:
Contact UltraSam

Re: Hacking activity? Can I get a log of incoming connection

Post by UltraSam »

If debug logging is desactivated in WinVNC properties, UltraVNC does not store any connections related data.

The best thing to do it to log the TCP connections yourself with dedicated tool on each server machine (local XP Firewall log for instance) or at your corporate FW level if all viewers connections comes from outside.

Given the output that happened I don't think it has been made through the UltraVNC connection, though. I would think more about a spyware/malware instead.

If you're about to change the password on all machines, and if not yet done, I suggest that you take this occasion to setup the MSRC4 DSM plugin on all your servers with a RC4.key file, and choose a unique 8 chars VNC password for each server
UltraSam
Top
secrethero
Posts: 7
Joined: 2007-03-08 19:57

Re: Hacking activity? Can I get a log of incoming connection

Post by secrethero »

Also, check win event logs. You should be able to see the IP that made the connection. It should be listed as WinVNC under events....I think.

Hope that helps!
Top
Post Reply

Return to “Old messages”