help about "reading version failed: not an RFB server?"

Mick michaelkintzios "at" gmail.com
Fri Nov 3 19:09:01 2006 

This appears to be Linux trojan: 

http://www.symantec.com/security_response/writeup.jsp?docid=2005-032316-4307-99&tabid=1

Given the types of directorates it creates you must have been running X or 
other applications as a root and you allowed it to install, or run some 
unchecked binary.  If this were my system I would *definitely* reinstall, 
after using shred on the partitions.

Good luck.

On Friday 03 November 2006 18:35, Alex Pelts wrote:
> This is possibly some spyware or trojan which hides its process from
> process manager. You can try to use tools from sysinternals.com to
> discover this process. Also run updated anti-virus software to check if
> there is any virus.
> When you run anti-virus disable windows restore because if the file is
> in one of the windows directories it will be restored right back. You
> should have your hand full with this one. Don't let is slide though
> because it may be some key logger of some zombie software.
>
>
> Alex
>
> danidani wrote:
> > PID is 1576 but it doesn't correspond to any PID that is listed in the
> > Task Manager
> >
> > quite strange isn't it?!
> >
> >
> >
> >
> > On 11/3/06, *Alex Pelts* < alexp "at" broadcom.com
> > <mailto:alexp "at" broadcom.com>> wrote:
> >
> >     Under win xp you can run "netstat -a -o". That will give you pid of
> >     process which owns each connection. From there you can run task
> > manager and find out who opened that connection. On unix there is a
> > similar facility although switches are different and you need to be root
> > to do it.
> >
> >     Regards,
> >     Alex
> >
> >     danidani wrote:
> >      > GREAT, it works with this trick!!
> >      >
> >      > Now the question is... which program is using port 5900??!
> >      >
> >      >
> >      >
> >      >
> >      > On 11/3/06, John Aldrich < john "at" chattanooga.net
> >
> >     <mailto:john "at" chattanooga.net>> wrote:
> >      >> On Friday 03 November 2006 10:50, danidani wrote:
> >      >>> Doing telnet ipaddress 5900 I obtain:
> >      >>> : Welcome!psyBNC "at" lam3rz.de <mailto:Welcome!psyBNC "at" lam3rz.de>
> >
> >     NOTICE * :psyBNC2.3.1
> >
> >      >>> running telnet ipaddress 5907 I get
> >      >>>
> >      >>> RFB 003.008
> >      >>>
> >      >>> and that is correct because I changed the port on the vnc server
> >      >>>
> >      >>>
> >      >>> Anyway I don't get access yet.
> >      >>
> >      >> Try adding :7 to the name or IP address of the PC you're
> >
> >     attempting to
> >
> >      >> connect
> >      >> to from remote. Or you can put ::5907 after the name/ip address
> >
> >     of the PC.
> >
> >      >>         John
> >      >> _______________________________________________
> >      >> VNC-List mailing list
> >      >> VNC-List "at" realvnc.com <mailto:VNC-List "at" realvnc.com>
> >      >> To remove yourself from the list visit:
> >      >> http://www.realvnc.com/mailman/listinfo/vnc-list
> >
> > --
> > skype: danieleda
> > msn: scriviadani "at" gmail.com <mailto:scriviadani "at" gmail.com>
>
> _______________________________________________
> VNC-List mailing list
> VNC-List "at" realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list

-- 
Regards,
Mick