Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Probable attack on VNC server

Post Reply
Mathius
Posts: 2
Joined: 2021-06-13 12:40

Probable attack on VNC server

Post by Mathius »

Hello everyone. I'm sorry if this is a book. I'm trying to provide as much information as possible:

I'm not new to VNC, I've been using it for probably close to a decade, but I'm not super tech savy when it comes to networking issues. Recently I put together a second PC to use as a game server. This required me to publish my public IP so that people could connect to the server. I don't have a second monitor hooked up to the server so I had been using VNC to connect to it. As I said, I've been using VNC for years, I generally use it to make modifications to my raspberrypi linux box as well.

I was afk, watching a movie, when I heard my VNC connection prompt go off on my desktop PC that someone was trying to connect to my PC. But instead of a single chime, I got a ton of chimes at the same time. I had the VNC window open to my server PC as well and that PC was also getting hit with multiple VNC login attempts. The IP addresses were multiple and they just kept hitting over and over again.

Now maybe this is ignorance on my part, but I generally have my VNC connection passworded, but set to accept connections after 10 seconds as the default. I don't know how it would be useful as a remote desktop if I had to physically go over and hit accept when I want to log in remotely, particularly if I'm outside the home network.

The first thing I tried to do was toggle my VPN hoping it might change my IP, but that turned out to be useless. Then, after trying to fight the tide of "reject reject reject" button clicking, I shut down the server and then unplugged my router. It seems obvious to me that someone is trying to brute force their way into my system and since I have been using this program for a long time I can only assume the difference is that now my public IP is published on a game server site. I really don't know how I can avoid this now since they have my IP. But more on that in a bit...

After I calmed down, I unplugged the internet cable from the router, booted the router back up, and restarted the server PC. Then I (rashly) uninstalled VNC on both computers and reconnected the internet. I attempted to setup Windows Remote Desktop to just be able to connect on LAN, but I couldn't seem to get that to work. Then it occurred to me that if I just go into my router settings and disable my port forwarding for VNC, I should be able to connect on my local network still, but not have outside connections. Of course this is less convenient, but fixes my security issue.

I installed VNC viewer only on my desktop and reinstalled the full VNC with server on my server PC. I started it up and low and behold I could connect. The problem is now when I VNC into my server, certain programs show as a blank white box, including the software I use to maintain the game server. I do not have an extra monitor on the server PC (I have one coming Thurs. I just bought on Amazon). When I need to hook a display up, I have to carry my 43" HD TV into the room with the server PC temporarily.

You see the thing is, I have a buddy who is a programmer who often helps me set these things up. I've done a lot of playing around with the VNC settings and I cannot make anything work through dumb trial and error. Playing with the display settings has only amounted in the blank white windows turning into a blank black window.

A search didn't turn up much except to turn on something involving semi-transparent windows (an option I can't find that may have existed in earlier versions of VNC?). I have also found that this is a very common issue regarding hookup up a monitor using HDMI and then disconnecting it. The server then thinks the monitor is disconnected and doesn't render programs it would have before. The thing is, it was working before my little attack.

I tried turning port forwarding on for just a second to see if it worked with port forwarding on, but I was immediately attacked with more VNC login attempts the moment I turned port forwarding back on.

So in conclusion I have 2 issues:

1. Constant login attempts (an attack?)
2. I can't view all software remotely

If someone could help me figure out where to go from here, I'd be super grateful.

I'm running Windows 10 home version on the desktop PC, and Windows 10 pro on the server PC. I have Ultra VNC version 1.3.2a on the server PC. This link should show you my VNC settings: https://live.staticflickr.com/65535/512 ... 16b2_b.jpg

Thank you for your time.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: Probable attack on VNC server

Post by Rudi De Vos »

1) Use or forward another port. 5900 is a known port but you can use anything you want.
2) Use encryption, a must when connected to the net
Using enncryption you can set long passwords, make brute force hacking useless.

Latest version can install a virtual display driver. Even when no monitor is connected it simulate one.
Mathius
Posts: 2
Joined: 2021-06-13 12:40

Re: Probable attack on VNC server

Post by Mathius »

Rudi De Vos wrote:1) Use or forward another port. 5900 is a known port but you can use anything you want.
According to my aforementioned buddy who is a programmer that literally wrote and maintains networking and shipping software for a global shipping company, there's nothing to stop them from doing a port scan.
Rudi De Vos wrote:2) Use encryption, a must when connected to the net
Using enncryption you can set long passwords, make brute force hacking useless.
I mean yeah, it will keep them from getting in, I suppose, but it doesn't stop the 50 pops I received in a minute from them trying to log in.
Rudi De Vos wrote:Latest version can install a virtual display driver. Even when no monitor is connected it simulate one.
I was under the impression I had the latest version? Does the software not self update like everything else now days? Regardless, I solved that problem by connecting my tv with a vga cable and when I unplugged it everything was working fine again.

Also, I can't read these stupid confirmation codes. I can't use this board. Thanks for trying.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: Probable attack on VNC server

Post by Rudi De Vos »

Another port:
It doesn't gonna stop them, but a lot of them just scan known ports.
scanning 65000 ports isn't productive.
Try it , something like 23561 and you possible only get a few every minute or hour.

Virtual displays is something you need to configure in the settings.
https://www.uvnc.com/docs/documentation ... plays.html
Post Reply