# Odd IPs



## MPN (Dec 10, 2005)

I go through WinXP's event log and find many different IP addresses trying to come into my PC through my VNC server(?)

"Event Type:	Information
Event Source:	WinVNC4
Event Category:	None
Event ID:	1
Date: 6/27/2006
Time: 11:47:33 PM
User: N/A
Computer:	BEDROOMPC
Description:
Connections: accepted: xx.xxx.xxx.xxx::xxxx"

These IPs are totally unfamiliar and foreign.

Are people going through my computer? I've closed VNC for the time being, and may keep it closed.


----------



## MPN (Dec 10, 2005)

Also, reading through the many IPs who've tried to connect, they seem to follow up with another message a second later like "connection reset by peer". What's going on?


----------



## Zazula (Apr 27, 2006)

1. WinVNC4.exe is a remote desktop control tool that allows you to remotely control someone's computer or vice versa. Have you enabled remote control in your pc?

2. Some malware camouflage themselves as winvnc4.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. So, it is imperative to check whether the winvnc4.exe process on your pc is a pest.

3. I strongly advise you to take immediately the 5 Step Process and post your HJT log in the specific forum.


----------



## MPN (Dec 10, 2005)

I know what RealVNC is, i installed it myself. The "(?)" was me wondering where these IPs are coming from.

I don't think anyone's been through my machine because all but one disconnected on the same second or one second later, and one disconnected a minute later saying "requested security type not avalible". Some disconnect with "Clean disconnection", although it only lasted a second. I think it is either some kind of attack (many different IPs and port ranges) or just curious people who wander onto my IP by mistake, get nervous, and disconnect or probably somebody's just being a funny man. I'm going to remove the open ports in my router and disable VNC, as I do not use it anymore.

Before I conclude this, do you think anything may have been done to my PC, despite each connection lasting only a second?


----------



## whardman (Jun 28, 2006)

Reset by peer usually means that the foreign computer unsuccesfully tried to authenticate and the program closed the connection. Is this computer on a DMZ port or have port forwarding enabled for VNC to this computer? Normally incoming connections are dropped by the router unless it is specifically forwarded to a computer.

EDIT: You responded as I was typing this.

Connections like this are usually more or less bots that roam the internet. Connections that are less than one second have not authenticated and are closed by the program. There is no way to send files through VNC and only actions performed on the computer screen. I setup Windows Firewall on my server and was surprised at how many random connections are dropped by the firewall.


----------



## MPN (Dec 10, 2005)

I have the three basic VNC ports forwarded to my machine through a wireless router.


----------

