Kaseya Community

VNC Hacking

  • We have a client PC that has reported winvnc errors for failed log ins and invalid protocols. This happened early in the morning from multiple IP addresses. We've checked our Kaseya logs and no one attempted to access it through Kaseya. We are uninstalling winvnc on the pc and setting remote access to terminal server for our immediate rememdy. We are calling Kaseya to see if they have seen this before. It looks like someone is bypassing our Kserver and attempting to directly access the winvnc server. Has anyone else seen this? Any thoughts to how secure winvnc really is? Ideas on preventing this in the future. Thanks!

    Legacy Forum Name: VNC Hacking,
    Legacy Posted By Username: pblough
  • Not sure I follow you... are you saying that someone (or some process) was trying to access VNC remotely, but couldn't? However you detected the errors?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: boudj
  • Sorry if I wasn't clear. We discovered errors in the event log of the PC. They were VNC errors related to someone attempting and failing to access VNC. There is no corresponding event in the Kaseya logs so it wasn't initiated from the Kserver. It appears someone was trying to directly access VNC without going through the Kserver. The firewall blocks incomming traffic over the ports we saw being attempted to be accessed. Kaseya wasn't much help when we got them on the phone so I'm looking for some other ideas.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: pblough
  • If the firewall blocks the vnc port, it's either coming from your internal network or that machine. Did you check the "only accept connections from the local machine" checkbox? That is checked by default on the kasey install, but sometimes gets disabled.

    I have seen invalid protocol errors a couple of times, but wasn't concerned about it. Maybe I should have been. All of my firewalls block vnc inbound by default as well.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: runnetworks
  • It probably is someone on the inside doing it. My guess would be someone saw the RealVNC service/icon and is trying to remote control the machine using the "standard" VNC apps. This would generate the errors.

    If you have the default RealVNC deployment (i.e. Pre-install VNC from Kaseya) you shouldn't have anything to worry about. The security settings are set to only allow connections from the local computer. Nobody else could login from another computer.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCDave
  • runnetworks
    If the firewall blocks the vnc port, it's either coming from your internal network or that machine. Did you check the "only accept connections from the local machine" checkbox? That is checked by default on the kasey install, but sometimes gets disabled.

    I have seen invalid protocol errors a couple of times, but wasn't concerned about it. Maybe I should have been. All of my firewalls block vnc inbound by default as well.

    If the client is on a single IP Network, what subnets are the requests comming from?

    External or Internal?

    If the firewall is blocking the ports and the client is a flat ip subnet, then where are the requests comming from?


    It almost sounds like they are trying to hijack a ride inside the firewall with kaseya???

    Or its a bug

    Do you have firewall logs that you can check against the times that the errors happen?

    If not what subnets are they comming from ?

    Internet or Internal Routing?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: bfivelson
  • Where is this "only accept local connections" setting found?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: djmundy