[AG-TECH] FYI - VNC attacks

Andrew Daviel advax at triumf.ca
Thu Jun 8 18:04:37 CDT 2006

I believe many people in the videoconference community run VNC as
a desktop sharing application, often unwrapped (i.e. not protected by SSH
tunnelling). Apologies to others ....

FYI, we have been the target of some VNC attacks.

A couple of Windows machines (at least) that were running VNC server
(with a password, albeit not a strong one) were attacked and one
was  infected with Spybot, later caught by antivirus software,
and another remote control application, also caught. There was a 3-week
window between the infection and the antivirus update which caught

This may relate to the RealVNC security announcement a couple of weeks
ago. Or it may be password guessing like for SSH; I am not sure at this

Admins may check Windows Event Viewer, Application log, for
"WinVNC4". VNC typically listens on port 5900

So, make sure you turn off VNC when not required, at least until we
figure this out ....

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security at triumf.ca

More information about the ag-tech mailing list