Tracking VNC Abusers

Networking/Security Forums -> Exploits // System Weaknesses

Author: carringtonmcLocation: USA PostPosted: Fri Aug 22, 2008 9:30 pm    Post subject: Tracking VNC Abusers
    ----
Let's say you administer a network running Windows XP Pro SP2, with a large amount of users. On this network there's a user who's abusing a VNC program, utilizing it to snoop on other users in real time.

Is there a means of detecting when VNC is used on the network? Is there a way to uncover footprints of VNC being used on a host, and a means of tracing those footprints back to the source of where VNC was executed (IP, username, etc)?

I know about looking for the VNC process via Task Manager/Processes. I know about netstat -n -a -p tcp. I know about searching the PC for VNC software that may have been remotely installed for access, and looking for a VNC active icon on the toolbar.

Because of the large number of users on the network, I need a way to monitor the network as a whole, sniffing for a VNC process, or tracking footprints back to the source from a PC which was possibly victimized.

Reminder: This is being done /by/ a user of the network /within/ the network enclave. Meaning a firewall packet trap listening for port 5900-etc traffic isn't going to solve this issue.

Any feedback pertaining to this matter will be greatly appreciated. Thanks!

Author: Fire AntLocation: London PostPosted: Tue Sep 02, 2008 3:20 pm    Post subject:
    ----
If you have a Cisco network and are using a layer 3 switch e.g. 3750, then maybe setup and ACL to allow port 5900 but send it to the log. Then you could either look at the switch logs or get them from syslog.

By the same token why don't you change the VNC password?



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group