Posted: Fri Aug 22, 2008 9:30 pm Post subject: Tracking VNC Abusers
Let's say you administer a network running Windows XP Pro SP2, with a large amount of users. On this network there's a user who's abusing a VNC program, utilizing it to snoop on other users in real time.
Is there a means of detecting when VNC is used on the network? Is there a way to uncover footprints of VNC being used on a host, and a means of tracing those footprints back to the source of where VNC was executed (IP, username, etc)?
I know about looking for the VNC process via Task Manager/Processes. I know about netstat -n -a -p tcp. I know about searching the PC for VNC software that may have been remotely installed for access, and looking for a VNC active icon on the toolbar.
Because of the large number of users on the network, I need a way to monitor the network as a whole, sniffing for a VNC process, or tracking footprints back to the source from a PC which was possibly victimized.
Reminder: This is being done /by/ a user of the network /within/ the network enclave. Meaning a firewall packet trap listening for port 5900-etc traffic isn't going to solve this issue.
Any feedback pertaining to this matter will be greatly appreciated. Thanks!
If you have a Cisco network and are using a layer 3 switch e.g. 3750, then maybe setup and ACL to allow port 5900 but send it to the log. Then you could either look at the switch logs or get them from syslog.
By the same token why don't you change the VNC password?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum