I've been running a test machine on the internet for about 3 weeks now (on an IP that as far as I know has not previously had any machine running on it). This machine effectively has all its ports stealthed but logs everything thrown at it.
To say the least its been instructive. On a good day it gets hit every hour or two on a bad day like today it gets hit dozens of times. What's interesting is that ALL the attacks over a three week period have been relatively quick scans on known vulnerable ports. Today I've had about 50 probes but they have all been on only 6 ports. They all appear to probe for a known specific weakness in a known program or a port previously left open by a virus or trojan. They just do a the quickest possible probe and then move on the the next IP address. If the port is open I'm fairly sure that the the next step is just to try to use the vulnerability - nothing fancy like seeing if your are running the vulnerable version. If the attack doesn't work they just move on, and on and on till they find someone who is vulnerable. In general I don't think being able to test for the version info will noticeably increase security risks and will make management easier. On 18 Mar 2003 at 16:18, Steve Bostedor wrote: > The purpose that I had in mind was to aid in standardizing > deployments and monitoring to be sure that the latest version is > deployed across the entire network. I can easily do this on Windowz > platforms by querying the registry or getting the metadata from the > file, but things get a bit more complicated when crossing platforms. > There are many other uses for this information. VNC is not the type > of service that can gain much security benefit from hiding the > version number. As one other poster pointed out, it can actually > increase the security by letting the administrator know that a > vulnerable version is installed on a workstation. > > One way to secure this information would be to require authentication > before being able to query the version number. That would at least > keep out the hackers that haven't already hacked ya. ;) > > - Steve Bostedor > http://www.vncscan.com > > > > -----Original Message----- > From: Mike Miller [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 18, 2003 3:56 PM > To: VNC List > Subject: RE: Wish: Version Query :VSMail mx2 > > > On Tue, 18 Mar 2003, William Hooper wrote: > > > I agree, security through obscurity is not security. On the other > > hand, reporting the version gives an attacker just another piece of > > information that is not needed by an authorized client. > > > If the information is not needed, why is someone asking for VNC to > provide it? Another respondent pointed out that it would be nice for > administrators to be able to determine which machines on their > networks were running which VNCs. Sounds useful. > > Mike > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list ----------------------------------- Peter Ball Computers For Linguists [EMAIL PROTECTED] Tel: +44(0)20 7732 1741 Fax: +44(0)20 7358 9214 Mobile: +44(0)77 1968 2913 45 Endwell Road, London, SE4 2PQ, United Kingdom _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
