I took over IT for a small company as a new client, and opened up RealVNC on the XP Pro box that serves as the, well, server.
What I didn't realize was that the previous IT guy had opened up the VNC port (5900) on the ADSL Router, so it was in fact open to the public!
I did this to show someone else on the LAN how to do things remotely without using Remote Desktop. (Thinking the whole LAN was nicely NATed away from harm.)

What scared the crap out of me was that about 10 mins after opening RealVNC in user mode on the XP pro box, I wandered back into the room, to see the mouse sprite moving on the screen.
Avast AV had already been switched off, and whoever it was had already run something the machine and was having a look through the folders in windows explorer. I instantly tried to turn off the VNC Server and had a panicky war of the mouse cursor as I tried to move it towards Yes while the hacker tried to stop me. I was about to pull the LAN cable out when I tried Ctrl-Alt-Del to kill it with Task Manager, and that seemed to kick him out so I closed the VNC server.

But my point is this - in less than 10 mins the hacker had detected that the previously open port 5900 on the router that had been pointing to nothing was now accepting connections in the form of VNC Server, and he'd hacked the password - which my usual for VNC - type random characters - in this case it was DKfif95$()%($IFJdjndjkjd943.

I know VNC isn't safe and would never leave a box open like that, but is it normal for someone to be able to hack it so quickly?
He'd run a couple of progs but some av scans and some command prompt work with a nastily attrib hidden folder within C:\Recycler got rid of it.
His prog (a complicated batch file) added loads of things to the firewall exception list, and a few other things.
But it made my blood run cold when I thought about how quick he got in. Obviously I closed the port on the router and cleaned up the firewall, but christ I had a bit of an adrenaline rush....

Any thoughts?
Diz.

You didn't take the machine offline first, how do you know you didn't miss anything from when they have previously had access to the machine

Well, no, that's rather the point as well.
He didn't have enough time to copy anything, but as you say I don't know exactly what he did.
Quick and then Intensive Virus scans deleted a few files (Avast AV scanner).
Spybot S&D then highlighted some firewall issues I dealt with.
Nothing else shows up as dodgy.

Kind of worrying though.

I must confess if I were in your shoes with a guy that was clearly that good, I'd be wanting more certainty than just Avast / Spybot saying everything was clean. Like reinstallation certainty.

What sort of level of log files have you got for the machine?

Currently your machine is in an unknown state (can you be 100% sure that everything is back the way it as before this guy broke in?).
You need to get your machine back into a known state, either through reinstallation on going back to one of your backups.

I wonder what the chances were that you were targeted, as apposed to just being stumbled upon...

Well I see your points, and they're well made.
I think it was a stumble upon, rather than a target, although maybe that's because I'd rather it was that way.....?
The company is an independent agency that deals with various maritime claims for several insurers.
The chances that someone would mount an attack based upon the chance that someone might run VNC server on a machine that happened to coincide with a router port that was left open by a previous IT guy would seem to small to quantify. I hope!

I will run some more AV scans from different manufacturers, but all of the files copied to the machine are deleted (from C:\Recycle\64565468468456487845454654545\ etc etc). I am of course aware that this is meaningless since there could be a time based program out there to recreate all of this and more later on.

Trouble is, there are no backups for this box other than data. It would be a complete reinstall, which would be problematic given that they're a new client.
The files the guy put on were a warez fileshare irc-type affair, which I guess was just designed to work as a zombie file repository and p2p client.
It's an XP Pro SP3 box running a file share for 6 people - if anything else crops I will know, since I'm keeping a close eye on it (insofar as I can when not actually there.....).

It just thought it worth sharing that the speed and success (though short-lived) of the attack was breathtaking.

D

But you don't know that, you don't know how long the hacker has had access to the machine, for all you know it could be weeks as you have just taken ownership as you said

If they are a new client I think open and honest discussion is all you can give.

I would definately backup the application and restore on to a fresh install or secondary machine.

Ripley in Aliens: I say we take off and nuke the site from orbit. It's the only way to be sure.

Well done sir for getting that quote in!

I would rebuild too. I would rather go through the hassle than go on never knowing if it's still my (or your clients') machine.

I think I shall probably try and persuade them to let me reinstall it.
I think one of you may have misunderstood - the router port has been open for god knows how long, but I switched on VNC Server and went away for about 10 mins.
That was rather the point of my post - in that time, a hacker was able to detect, target, crack, and hack, and if I'd gone away for longer, who knows what....

Thanks for your replies.

Diz.

I don't think I'm missing the point, but you seem unable to answer the question....
How do you know a hacker didn't have their own connection and the only reason you recognised them as on was your connection kicked them off? You don't know what the hacker has done, what they have access to for machines on the network because of the exposed port and you only know of one hacker because of noticing the machine after leaving a machine unattended (another security no no)

You know you have a compromised machine, only action is clean install tbh, restoring an image may be compromised and is like building a house on sand.

That's the only logical option. It's unanimous.

Of course, your problem is the political one of selling the work to the customer. Since you state "the previous IT guy had opened up the VNC port (5900) on the ADSL Router" I think your arse is safe. You are simply cleaning up after a security risk created by the previous IT guy.

I'd concur the only safe route is doing a reinstall.
And yeah, I've no way of knowing that the hacker hadn't been in for ages since the port was open.

However, VNC wasn't run as a matter of course; it hadn't been installed as a service, it was run when the last guy called the office and asked someone to turn it on.
Also working in my favour is that Avast had been working fine, was updating, and when I first checked the machine was ok.
The hacker's first action was to disable it, and then install his stuff.
Once I'd kicked him out, Avast's re-enabling instantly detected the relevant virus programs and deleted them, which would seem to suggest to me that things hadn't been running the background prior to that, at least of that variant of virus since Avast knew how to deal with it.

I think as you say I shall have to do a full re-install. Bloody annoying though.
I wonder how the guy cracked such a long password so quickly. Surely brute force would have taken a while at least?
Or is VNC crackable that easily?

Diz.

It seems that the hacker had compromised this machine previously - and was most likely polling the external IP every minute.

Especially since you say the previous guy used to get it switched on - probably left it on one night and got hacked.

Still the quicker you act the more professional it comes across, you do not want to be saying in a month or two, yeah we should have reinstalled it. Simply tell them it is in their best interest and you would recommend such action. If it then comes back to bite you, you are covered.

Under what circumstances did the previous IT guy leave for?