heads up for the VNC users

mejinks · 03-08-2006, 23:34

go to C:\WINDOWS\system32\SoftwareDistribution\Setup\Ser viceStartup\wups.dll\

In that folder there should be a folder with a version number. If you have found winupdate you may need to sit down.

I just found this tonight and joy oh joy, my backup machine has been compromised. Yes I know there are better things to use than VNC, but hey.

Now where did I put those windows and applications disk.

Dymetrie · 04-08-2006, 01:17

Erm.....

wuh?

mejinks · 04-08-2006, 01:43

If you use VNC then navigate to C:\WINDOWS\system32\SoftwareDistribution\Setup\Ser viceStartup\wups.dll\

In there should be a folder with a version number eg 5.01.1

If there is not but there is a folder called winupdates, then you have a virus/backdoor on your computer

Mcafee fails to pick it up as does Norton. Pandasoftware picks most of the infection up, housecall says everything is fine.

NOD32 is currrently finding all the viruses that NAV and Mcafee have missed.

Dymetrie · 04-08-2006, 06:49

Oh I see

I have a folder with version number but don't have VNC installed at the moment :/

kaiowas · 04-08-2006, 08:24

Have you got any more details of the exploit used to compromise VNC in this instance? I use VNC sometimes so I just had a look around and it looks like there was a recently discovered exploit whereby it's possible to bypass the authentication, the latest version of realvnc fixes this vulnerability so unless this is a new exploit then upgrading to the latest version should see you safe from this.

mejinks · 04-08-2006, 12:15

Quote:

Originally Posted by kaiowas

Have you got any more details of the exploit used to compromise VNC in this instance? I use VNC sometimes so I just had a look around and it looks like there was a recently discovered exploit whereby it's possible to bypass the authentication, the latest version of realvnc fixes this vulnerability so unless this is a new exploit then upgrading to the latest version should see you safe from this.

Originally, there was a Lsass exploit, but the version that got me was the vnc_bypauth.exe, which upon closer inspection of the folder is a script kiddies wet dream with its detailed step by step (written in Hax0rz script) instruction.

03-08-2006, 23:34	#1
mejinks Magners Join Date: Jul 2006 Posts: 2,865	heads up for the VNC users go to C:\WINDOWS\system32\SoftwareDistribution\Setup\Ser viceStartup\wups.dll\ In that folder there should be a folder with a version number. If you have found winupdate you may need to sit down. I just found this tonight and joy oh joy, my backup machine has been compromised. Yes I know there are better things to use than VNC, but hey. Now where did I put those windows and applications disk.

04-08-2006, 01:17	#2
Dymetrie A large glass of Merlot Join Date: Jun 2006 Location: Letchworth with a Lightsaber Posts: 5,819	Erm..... wuh? __________________ Khef, Ka and Ka-Tet....

04-08-2006, 06:49	#4
Dymetrie A large glass of Merlot Join Date: Jun 2006 Location: Letchworth with a Lightsaber Posts: 5,819	Oh I see I have a folder with version number but don't have VNC installed at the moment :/ __________________ Khef, Ka and Ka-Tet....

04-08-2006, 01:43	#3
mejinks Magners Join Date: Jul 2006 Posts: 2,865	If you use VNC then navigate to C:\WINDOWS\system32\SoftwareDistribution\Setup\Ser viceStartup\wups.dll\ In there should be a folder with a version number eg 5.01.1 If there is not but there is a folder called winupdates, then you have a virus/backdoor on your computer Mcafee fails to pick it up as does Norton. Pandasoftware picks most of the infection up, housecall says everything is fine. NOD32 is currrently finding all the viruses that NAV and Mcafee have missed.

04-08-2006, 08:24	#5
kaiowas The Stig Join Date: Jul 2006 Location: Fightertown USA Posts: 1,458	Have you got any more details of the exploit used to compromise VNC in this instance? I use VNC sometimes so I just had a look around and it looks like there was a recently discovered exploit whereby it's possible to bypass the authentication, the latest version of realvnc fixes this vulnerability so unless this is a new exploit then upgrading to the latest version should see you safe from this.