>Someone has installed VNC on several, student owned,
>computers in our Residence Halls without the owner's
>permission or knowledge. These computers are being
>remotely controlled without the owner's permission.
>
>This is, clearly, something I need to stop. I need to find
>out how I can determine the ip address, or some other
>identifing attribute, of the system used to remote control
>these computers.
Stick a Linux box running tcpdump on the same network segment as the
compromised host, and get it to filter traffic so it only looks at the
compromised host and the VNC ports (usually 5900). That will reveal the
source address.
Alternatively, there may be a logging option in WinVNC (I assume this is
the platform in question) which will serve a similar purpose. I don't know
how to activate this, please checks the docs on the website.
You could also manually uninstall VNC and replace it with a 'honey pot'
which does nothing but log the IP address of the connecting host. If you
can't find such a utility, it can be knocked up in a few minutes.
HTH,
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: [EMAIL PROTECTED] (not for attachments)
big-mail: [EMAIL PROTECTED]
uni-mail: [EMAIL PROTECTED]
The key to knowledge is not to rely on people to teach you it.
Get VNC Server for Macintosh from http://www.chromatix.uklinux.net/vnc/
-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GCS$/E/S dpu(!) s:- a19 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$ V? PS
PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r- y+
-----END GEEK CODE BLOCK-----
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
