Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Quasar

Russian botnet VNC attack

Recommended Posts

I am getting attacked at an increasing rate by Russian botnet machines that are attempting to connect to my VNC server. The rate of attack is up to twice a day on average now.

I don't know if the botnets are only capable of connecting to unprotected VNC servers (ie. ones with no password set), or if they are capable of employing known exploits to bypass authentication on some servers and they just can't hack through mine yet, but either way it is scary. Now that my machines are on their list, as soon as such an exploit is found, I could be hacked in mere moments.

Evidently this is nothing new, as a Google search indicates it's been going on since at least 2007.

We discovered that the botnet backdoors the affected machines by downloading and installing a ssh server, and god knows what else it does.

So in short, if you run VNC, be very wary.

Share this post


Link to post

Well, I'm not going to use VNC anymore. But, as Spleen said, an IP change would probably be best in addition to deleting VNC if you haven't already.

Share this post


Link to post
Whoo said:

Well, I'm not going to use VNC anymore. But, as Spleen said, an IP change would probably be best in addition to deleting VNC if you haven't already.

I use VNC on a daily basis to connect to my home network from work, so this isn't really an option.

Share this post


Link to post

Maybe you can host an ssh server, allow it for only a single user, use the denyhosts script. Block VNC from your router, then forward SSH to your local computer and connect to that forward.

Share this post


Link to post

Have you thought of blocking the entire .ru block from connecting?

Share this post


Link to post
Spleen said:

I'd request an IP change from your ISP.

This wouldn't really help. The bots are likely testing for connections by using random IPs or blocks of IP addresses.

Mr. Chris said:

Have you thought of blocking the entire .ru block from connecting?

Most Russian IP addresses don't have reverse DNS entries, plus you can't block by top-level domain. You'd have to block thousands of IP ranges.

Share this post


Link to post

Putting raw VNC over the internet is a huge security risk, the stream encryption is good enough but passwords are still submitted in plaintext.

I connect to my LAN from work too, but I do it all over SSH. You can do this cheaply and easily wih a router that runs DD-WRT or build a little Linux box to act as a gateway. You could also use a VPN service like Hamachi.

Expose as little to the internet as humanly possible. Even if it means a slight inconvenience such as a double login.

Share this post


Link to post
Quasar said:

I am getting attacked at an increasing rate by Russian botnet machines that are attempting to connect to my VNC server. The rate of attack is up to twice a day on average now.

Twice a day? Is that all?

There are probably thousands of people out there scanning different IP ranges for machines to target every day. Any server you put up is going to get connection attempts (and no, changing your IP address is a complete waste of time). Much like spam it's a fact of life that you just have to live with.

Best advice is to just make sure you keep up to date and don't run old software with security holes in. If you're paranoid, you could try:

  • Setting up a firewall to only allow VNC connections from specific addresses (my machine at home has an SSH server and I've configured the firewall to only allow connections from my machine at work, my parents' house, etc).
  • Running the VNC server on an unusual port number that people are unlikely to scan.
  • Configure port knocking.
  • Set up a secure VPN of some kind (though this is really "swallowing the spider to catch the fly")

Share this post


Link to post
Bloodshedder said:

Most Russian IP addresses don't have reverse DNS entries, plus you can't block by top-level domain. You'd have to block thousands of IP ranges.

Why not block everything except the IP range of his work, then?

Share this post


Link to post

If you use a 128bit encrypting method with a specific key that only the client and server have you should be safe.
On top of the regular password I find this is very safe. I use that setup for my home computer.

They may see the port is open but will never will be able to log in since they dont have the key nor the password.

Also, if your router allows it you can allow only a specific set of IPs (your work and such) to be able to connect to that VNC port.

Edit : I also use a key+mouse locker, that prevents anybody that doesnt know a specific key sequence to use any input device. So if anybody manages to access the VNC or for that matter the PC, all input devices are locked, even if the PC reboots.

Share this post


Link to post

Just as fraggle said about being paranoid:

fraggle said:

  • Setting up a firewall to only allow VNC connections from specific addresses (my machine at home has an SSH server and I've configured the firewall to only allow connections from my machine at work, my parents' house, etc).


Doing this would beef up security but if let's say your parents got a dynamic IP then you'd need to do an entire range losing security. This is not effective for any home addresses, only businesses.

fraggle said:

  • Running the VNC server on an unusual port number that people are unlikely to scan.


Works unless the port is blocked.

fraggle said:


Works, but you may need additional software to knock the actual ports. Also, some places such as businesses, schools, and ISPs may block those ports.

fraggle said:

  • Set up a secure VPN of some kind (though this is really "swallowing the spider to catch the fly")


Not really paranoid, I do this from everywhere and it works great to where I can access my own network with no trouble at all.

Share this post


Link to post
GhostlyDeath said:

Doing this would beef up security but if let's say your parents got a dynamic IP then you'd need to do an entire range losing security. This is not effective for any home addresses, only businesses.

Limiting it to a range is still practical; if it's a /24 for example, you've reduced the range of potential hackers from ~4 billion to ~256.

Not really paranoid, I do this from everywhere and it works great to where I can access my own network with no trouble at all.

My point is, it doesn't really address the problem; you've just shifted it from VNC to a different service (VPN).

Share this post


Link to post

I tried changing the port today and now I cannot connect, so I don't think that's going to work.

Share this post


Link to post
Quasar said:

I tried changing the port today and now I cannot connect, so I don't think that's going to work.


You need to change both the server and client port and make sure they are forwarded/not-blocked.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×