Log in

No account? Create an account

Previous Entry | Next Entry

vino beware

After an hour of security auditing, I have no explanation why my Gnome desktop suddenly had remote access (with control) enabled with a blank ("") password. Since vino-server does not log connection attempts (as far as I can tell since there is no documentation), I have no way of knowing if anyone was successful in actually getting passed the password: prompt. I noticed that vino-server was screen scraping my :0 display by some slightly higher CPU utilization graphs. Immediately inspecting "netstat -tnp" uncovered no active connections, however, given that the screen scraping state was active, I have to assume that someone actually tried to connect in the last 24 hours. Perhaps it was a simple port-scan that kicked it on. The attacker may have very well skipped my IP after getting a password prompt.

Part of my vulnerability is my fault: several months ago I forwarded VNC ports to collaborate with my father on a project on my Windows partition.

I can speculate about what might have happened. It's not the result of a recent upgrade gone awry: the last vino apt update was done Oct 29th. They say to never attribute to malice what can be explained by incompetence. It's entirely possible that some gconf-related action from some other application set the vino-server in this state--though that seems unlikely.

I am normally very cautions, however I did recently install one package from an untrusted source. But I have no reason to suspect that that package was the vector for the gconf change. Another possibility would be that a package installed from one of the third-party Debian multimedia repo's is to blame: but this is a long shot.

Anyway, you might want to double check your remote desktop settings. I do not have any explanation.


color, uphair, smile
Jason D. Clinton

Latest Month

September 2011


Powered by LiveJournal.com
Designed by Tiffany Chow