• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Tracking VNC Abusers

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
carringtonmc
Just Arrived
Just Arrived


Joined: 22 Aug 2008
Posts: 0
Location: USA

Offline

PostPosted: Fri Aug 22, 2008 9:30 pm    Post subject: Tracking VNC Abusers Reply with quote

Let's say you administer a network running Windows XP Pro SP2, with a large amount of users. On this network there's a user who's abusing a VNC program, utilizing it to snoop on other users in real time.

Is there a means of detecting when VNC is used on the network? Is there a way to uncover footprints of VNC being used on a host, and a means of tracing those footprints back to the source of where VNC was executed (IP, username, etc)?

I know about looking for the VNC process via Task Manager/Processes. I know about netstat -n -a -p tcp. I know about searching the PC for VNC software that may have been remotely installed for access, and looking for a VNC active icon on the toolbar.

Because of the large number of users on the network, I need a way to monitor the network as a whole, sniffing for a VNC process, or tracking footprints back to the source from a PC which was possibly victimized.

Reminder: This is being done /by/ a user of the network /within/ the network enclave. Meaning a firewall packet trap listening for port 5900-etc traffic isn't going to solve this issue.

Any feedback pertaining to this matter will be greatly appreciated. Thanks!
Back to top
View user's profile Send private message AIM Address
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Sep 02, 2008 3:20 pm    Post subject: Reply with quote

If you have a Cisco network and are using a layer 3 switch e.g. 3750, then maybe setup and ACL to allow port 5900 but send it to the log. Then you could either look at the switch logs or get them from syslog.

By the same token why don't you change the VNC password?
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register