Hacker accessed VNC service behind NAT?? - Connectivity

This is a discussion on Hacker accessed VNC service behind NAT?? - Connectivity ; Sorry I'm new here, not sure this is the right newsgroup to post to - I have a question that is about routers, security, and connectivity all rolled into one. Yesterday while I was working on my desktop all of ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Hacker accessed VNC service behind NAT??

  1. Hacker accessed VNC service behind NAT??

    Sorry I'm new here, not sure this is the right newsgroup to post to -
    I have a question that is about routers, security, and connectivity
    all rolled into one.

    Yesterday while I was working on my desktop all of a sudden a session
    kicked in on my VNC server - my desktop background image disappeared
    and the RealVNC system tray icon turned black to indicate a session in
    progress. Within a couple of seconds, something hit my start menu, run
    dialog, "cmd", and typed "TFT" in the new command prompt window. At
    this point I panicked and shutdown the VNC service ASAP.

    This post is not actually about the VNC problem, I found out today
    that the version I used had a known security flaw that allowed
    bypassing the password prompt. That is clearly what happened there,
    and could be easily fixed with upgrading to the newest version.

    My question is how the attacker got to my VNC port!

    Here's all the background I can muster:

    - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
    seems to run a "GlobespanVirata" chipset. This was provided to me by
    my previous ADSL provider, Telefonica Spain.
    - I have a standard NAT lan, with a variety of devices connecting to
    the internet through the router.
    - I have certain very specific ports forwarded to my desktop for
    remote access, peer-to-peer connectivity, etc. \
    - I am NOT forwarding either of the VNC ports (standard ports 5900
    and 5800), so to my limited knowledge the VNC service should not be
    accessible from the internet. I have of course tested this, and found
    that to be correct. The VNC service is not publically accessible.
    - I do not have the firewall enabled on the router, because I assumed
    the NAT basically made it safe. I tried enabling the router firewall
    today but it also seems to block the services that I need to be able
    to access from the internet (eg HTTP, I run a small webserver), so
    that does not work for me.
    - I WAS running uTorrent at the time of the attack (and had been for
    a few hours)
    - I did get the IP address of the attacker from my VNC log, it was
    "85.239.126.86", an address in germany. I have not looked for or found
    any further information. I guess I could try a port scan but I assume
    it's a zombie computer so what's the point.

    Now my understanding is that "85.239.126.86" being an internet
    address, for the VNC session to work that address would need to be
    routable - the only way that that address could be routed on my
    network is through the ADLS router / gateway (I think). In theory I
    guess there could have been some sort of local tunnel set up, but I
    assume that would have required a virtual network adapter to have been
    set up on my computer? (I saw nothing like that, and virus and spyware
    scans have come up clean).

    If it was routed through my router, how could the attacker have
    convinced the router to initiate the communication to my internal port
    5900 on that particular machine??? The safety of a NAT, as I
    understand it, is that remote hosts cannot access an internal address
    unless there is explicit port forwarding enabled, or the session is
    initiated by a host behind the NAT, is that not correct?

    I guess I'm only coming to the real point of my post now - assuming
    that I'm on the right track, and that this communication on port 5900
    was happily handled by my router, could it have been initiated my
    another program on my desktop, specifically the uTorrent client? I've
    been logging sessions on my router since this morning, and I see that
    client connections are opened by the uTorrent client (very frequently,
    thousands per hour) with random local port numbers, that slowly seem
    to increase / cycle. It is possible that the uTorrent client made a
    client connection using local port number 5900 (which was also being
    used by the VNC server), and the computer/remote host that the
    uTorrent client was connecting to took advantage of this situation to
    test / probe / attack the VNC server on that port?

    I guess the questions are:
    - it it possible for a client TCP connection to be initiated by a
    local "client" program from a port that is already being used by a
    "server" program, like VNC server?
    - what are the chances, statistically speaking, that this would
    happen? Would it be worth a hacker's time to set up servers as
    bittorrent participants / seeds in the hopes that some client computer
    makes a connection using a special port (eg VNC), which could then
    allow the computer's VNC server to be probed / tested for the known
    VNC vulnerability? It's the only explanation that I can think of, but
    I just can't see how it would be worth a hacker's time!

    Final blurb: I set up a syslog server on my desktop and have been
    logging all incoming and outgoing sessions from my router (generating
    a nasty amount of log data, but I'll put up with it). This way I'll be
    able to see how the session gets set up, if I ever become aware of
    another similar situation. I will upgrade my VNC server of course, so
    the attack would need to use another vector. My concern of course is
    that I may NOT be aware of it next time. My desktop is not hardened as
    a public server with all ports exposed - I'm very much counting on the
    fact that only specific selected ports should be accessible from
    outside. In theory, if any port on the desktop can be exposed, then my
    windows filesharing setup is just one of the things that would be
    vulnerable to brute-force attack. Is there anything else I can do to
    investigate this or help prevent future issues? Does anyone have any
    experience with the Xavi router or GlobespanVirata chipset that could
    help me get it set up to prevent this from happening again? For now I
    will probably install a local firewall on the desktop allowing only
    the servers I need to work, but that of course makes all sorts of
    things more complicated - file and printer sharing, VPN client
    software setup, HTTP proxy setup, etc etc. I just wish I could feel
    safe in my own network again!

    Sorry about the monster first post, I would appreciate any and all
    feedback.

    Thanks,
    Tao


  2. Re: Hacker accessed VNC service behind NAT??

    Maniaque wrote:
    > - I am NOT forwarding either of the VNC ports (standard ports 5900
    > and 5800), so to my limited knowledge the VNC service should not be
    > accessible from the internet. I have of course tested this, and found
    > that to be correct. The VNC service is not publically accessible.


    Not by means of connecting directly, that is correct. However, the
    attacker could still have misused NAT helper programs on your router
    (like a NAT helper for active FTP) to get the router to forward the VNC
    ports.

    > - I do not have the firewall enabled on the router, because I assumed
    > the NAT basically made it safe.


    That is plain wrong.
    NAT is not intended to be a security technique, but instead to provide
    connectivity to multiple devices using a single public IP. Has your PC
    been the only device running at this time? Then maybe your router simply
    forwarded every packets that arrived to your PC, or the NAT helpers may
    have been abused.
    NAT does not improve security, that's what you use the firewall/packet
    filter for.

    > I tried enabling the router firewall
    > today but it also seems to block the services that I need to be able
    > to access from the internet (eg HTTP, I run a small webserver), so
    > that does not work for me.


    Then it is misconfigured. You need to enable access to these specific
    ports, and then tell the NAT part of your router to forward these ports
    to your host PC. That way, the services you want to provide will be
    reachable - and nothing else.

    Michael

  3. Re: Hacker accessed VNC service behind NAT??

    On Oct 11, 12:23 pm, Michael Ziegler
    wrote:
    > Maniaque wrote:
    > > - I am NOT forwarding either of the VNC ports (standard ports 5900
    > > and 5800), so to my limited knowledge the VNC service should not be
    > > accessible from the internet. I have of course tested this, and found
    > > that to be correct. The VNC service is not publically accessible.

    >
    > Not by means of connecting directly, that is correct. However, the
    > attacker could still have misused NAT helper programs on your router
    > (like a NAT helper for active FTP) to get the router to forward the VNC
    > ports.
    >


    Ok, that rings a bell. So something like:
    - I request a web page or some other arbitrary TCP connection on some
    hostile server, maybe as part of a BitTorrent download
    - The hostile server responds with something that looks like an FTP
    response saying "Open port 5900 so that I can send you the FTP data"
    - the router happily opens the requested port to that machine, and
    all hell breaks loose

    If this is correct, is there any way to see what "NAT Helpers" a NAT
    router may have? Are there standard security scans for this? I ask
    because I plan to put another home router/firewall device (WRT54G)
    between me and the existing router (with the firewall functions
    enableed this time!), but I'd like to be able to check after I'm done
    that this sort of thing is no longer possible.



    > > - I do not have the firewall enabled on the router, because I assumed
    > > the NAT basically made it safe.

    >
    > That is plain wrong.
    > NAT is not intended to be a security technique, but instead to provide
    > connectivity to multiple devices using a single public IP. Has your PC
    > been the only device running at this time? Then maybe your router simply
    > forwarded every packets that arrived to your PC, or the NAT helpers may
    > have been abused.
    > NAT does not improve security, that's what you use the firewall/packet
    > filter for.
    >


    No, I have several devices, no "default server" set up on the NAT, and
    only specific intended services forwarded to one server. But I am
    planning on adding the other router, like I said, so that I can enable
    the firewall function without losing the forwarding ability.

    > > I tried enabling the router firewall
    > > today but it also seems to block the services that I need to be able
    > > to access from the internet (eg HTTP, I run a small webserver), so
    > > that does not work for me.

    >
    > Then it is misconfigured. You need to enable access to these specific
    > ports, and then tell the NAT part of your router to forward these ports
    > to your host PC. That way, the services you want to provide will be
    > reachable - and nothing else.
    >


    Yep, I can do that with the WRT54G device in-between, and I guess
    tha's what I'll do.

    Thanks very much!
    Tao



  4. Re: Hacker accessed VNC service behind NAT??

    Maniaque wrote:
    > - I request a web page or some other arbitrary TCP connection on some
    > hostile server, maybe as part of a BitTorrent download
    > - The hostile server responds with something that looks like an FTP
    > response saying "Open port 5900 so that I can send you the FTP data"
    > - the router happily opens the requested port to that machine, and
    > all hell breaks loose


    In fact, I'm not sure exactly how this works, as I'm currently learning
    about this stuff myself. According to my understanding, somehow the
    router is led to believe that the attacker is trying to do active FTP,
    and opening an FTP data channel.

    > If this is correct, is there any way to see what "NAT Helpers" a NAT
    > router may have?


    That would very much depend on your router. I'm not familiar with it, so
    I don't know

    > Are there standard security scans for this? I ask
    > because I plan to put another home router/firewall device (WRT54G)
    > between me and the existing router (with the firewall functions
    > enableed this time!), but I'd like to be able to check after I'm done
    > that this sort of thing is no longer possible.


    The only one I know of is here:


    > But I am
    > planning on adding the other router, like I said, so that I can enable
    > the firewall function without losing the forwarding ability.


    It is in fact very strange that the firewall blocks forwarded ports and
    you're not able to switch that off any other way than disabling the
    firewall alltogether, because then the manufacturer wouldn't have cared
    at all about security - are you sure you haven't missed anything?


    Michael

  5. Re: Hacker accessed VNC service behind NAT??

    On Oct 11, 1:42 pm, Michael Ziegler
    wrote:

    > > Are there standard security scans for this? I ask
    > > because I plan to put another home router/firewall device (WRT54G)
    > > between me and the existing router (with the firewall functions
    > > enableed this time!), but I'd like to be able to check after I'm done
    > > that this sort of thing is no longer possible.

    >
    > The only one I know of is here:
    >
    >


    OK, now I'm REALLY interested:

    --
    Checking FTP-NAT for Router
    Int.IP to check is 192.168.2.11,mine is 192.168.2.11
    Port: 22 Result: 300 Port closed.
    Port: 80 Result: 200 Port open. [Tao note: Intentional]
    Port: 111 Result: 300 Port closed.
    Port: 135 Result: 300 Port filtered.
    Port: 137 Result: 300 Port filtered.
    Port: 139 Result: 300 Port filtered.
    Port: 445 Result: 300 Port filtered.
    Port: 1900 Result: 300 Port closed.
    Port: 3000 Result: 300 Port closed.
    Port: 3389 Result: 300 Port closed.
    Port: 5000 Result: IO error in Socket()
    Port: 5800 Result: 200 Port open.
    Port: 5801 Result: 300 Port closed.
    Port: 5802 Result: 300 Port closed.
    Port: 5900 Result: 200 Port open.
    Port: 5901 Result: 300 Port closed.
    Port: 5902 Result: 300 Port closed.
    Port: 6000 Result: 300 Port closed.
    Port: 47115 Result: 300 Port closed.


    5800 and 5900 and NOT supposed to be open. they are the VNC ports.
    This is exactly the flaw that I was looking for. I have entered my
    router name so that they can add it to their list of "known
    problematic" implementations.

    Still, this test relies on the "Apparent FTP connection" that they
    initiate in the applet - I guess I still need to have something nasty
    on my machine that initiated a communication that looked like an FTP
    session... Either that or they were able to pull the trick off with
    the BitTorrent client like I proposed above? I feel I'm getting
    closer, but still not all there.

    Thanks so much for the link!
    Tao




  6. Re: Hacker accessed VNC service behind NAT??


    > Still, this test relies on the "Apparent FTP connection" that they
    > initiate in the applet - I guess I still need to have something nasty
    > on my machine that initiated a communication that looked like an FTP
    > session... Either that or they were able to pull the trick off with
    > the BitTorrent client like I proposed above? I feel I'm getting
    > closer, but still not all there.
    >


    Duh. This trick can obviously be pulled off by absolutely any page
    that contains a Java applet!!!

    That day I was in fact browsing on a couple of pretty shady sites (I'm
    not sure how long I might have had one of these sites open, but I must
    have had one open in the background when or not long before the attack
    was initiated), and there we have it.

    Wow that feels good. I now have a bunch of suggestions (from cross
    posts linked below) for making my setup safe overall, AND I know
    exactly what happened this time around and can work to prevent it.

    Thanks again Michael, you've really made my day.
    Tao


  7. Re: Hacker accessed VNC service behind NAT??

    Sorry, forgot to link the cross posts - I am about to update these
    threads with the outcome:

    http://groups.google.com/group/comp....d0dfb68b85fccc
    http://groups.google.com/group/alt.c...3101dbc319cc28

    Tao


  8. Re: Hacker accessed VNC service behind NAT??

    Maniaque wrote:
    > --
    > Checking FTP-NAT for Router
    > Int.IP to check is 192.168.2.11,mine is 192.168.2.11
    > Port: 22 Result: 300 Port closed.
    > Port: 80 Result: 200 Port open. [Tao note: Intentional]
    > Port: 111 Result: 300 Port closed.
    > Port: 135 Result: 300 Port filtered.
    > Port: 137 Result: 300 Port filtered.
    > Port: 139 Result: 300 Port filtered.
    > Port: 445 Result: 300 Port filtered.
    > Port: 1900 Result: 300 Port closed.
    > Port: 3000 Result: 300 Port closed.
    > Port: 3389 Result: 300 Port closed.
    > Port: 5000 Result: IO error in Socket()
    > Port: 5800 Result: 200 Port open.
    > Port: 5801 Result: 300 Port closed.
    > Port: 5802 Result: 300 Port closed.
    > Port: 5900 Result: 200 Port open.
    > Port: 5901 Result: 300 Port closed.
    > Port: 5902 Result: 300 Port closed.
    > Port: 6000 Result: 300 Port closed.
    > Port: 47115 Result: 300 Port closed.


    When I run the test on my setup (Linux client, accessing the internet
    via a NAT on a linux machine), this is the result:

    | Checking FTP-NAT for Router ubuntu
    | Int.IP to check is 10.5.0.197,mine is 10.5.0.197
    | Port: 22 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 80 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 111 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 135 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 137 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 139 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 445 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 1900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 3000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 3389 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 5000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 5800 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 5801 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 5802 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 5900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 5901 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 5902 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 6000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    | Port: 47115 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)


    Just in case you're interested

    Michael

  9. Re: Hacker accessed VNC service behind NAT??

    On Oct 11, 2:51 pm, Michael Ziegler
    wrote:

    > When I run the test on my setup (Linux client, accessing the internet
    > via a NAT on a linux machine), this is the result:
    >
    > | Checking FTP-NAT for Router ubuntu
    > | Int.IP to check is 10.5.0.197,mine is 10.5.0.197
    > | Port: 22 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 80 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 111 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 135 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 137 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 139 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 445 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 1900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 3000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 3389 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 5000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 5800 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 5801 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 5802 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 5900 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 5901 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 5902 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 6000 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    > | Port: 47115 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    >
    > Just in case you're interested
    >
    > Michael- Hide quoted text -
    >
    > - Show quoted text -


    HI,

    I found a pretty excellent firmware for my linksys WRT54G router,
    called Tomato 1.10, but just like all the other WRT54G firmwares out
    there it had the FTP NAT Helper turned on by default (compiled into
    the kernel). After I explained the problem to the author, he kindly
    made the FTP NAT Helper optional in the next version! As of version
    1.11 I now get the same response as you:

    Checking FTP-NAT for Router
    Int.IP to check is 192.168.2.11,mine is 192.168.2.11
    Port: 22 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    Port: 80 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    Port: 111 Result: 400 PORT Error (500 Go away (PORT IP mismatch).)
    ....etc...

    Thanks,
    Tao



+ Reply to Thread