
VNC Roulette - rwmj
http://vncroulette.com
======
eranation
So... what does this mean? I mean, if there are so many hydropower plans et al
vulnerable for VNC, how come we didn't have some major catastrophe? Is it
simply more common to have a "read only" VNC vulnerability? (which is still a
huge problem). Is VNC by default not password protected for read only viewing
(and requires password for taking control?) Obviously nothing should be
password-less by default, and should not have a "changeit" password (I'm
looking at you glassfish) but I really hope that even if VNC lets you be in
"guest view only mode" without a password by just knowing an IP (who does
that?!) then at least I hope they still require a password to also take
control, right? please tell me they do. (otherwise I'll be surprised we are
all still alive to be honest)

I mean there are some controls there that I'm sure if the wrong person pushes
that red button, something will go kaboom.

And there is no shortage of people out there who would not think twice to blow
things up.

So yes, this is scary, but also makes me be very surprised that statistically
we are probably not supposed to be alive by now if so many critical control
systems have VNC exposed like that in a way that allows full control on the
system and not just viewing.

Perhaps it's just selection bias, if the world have ended by now then I would
be able to type this.

But still seriously, with all these screenshots, I assume this is not
something new, so how come I didn't hear yet on a major real world damage due
to a VNC vulnerability?

Is this really most likely to be a read only privacy issue? (which is not to
be taken lightly, but not the same as being able to press "shutdown" on some
power plant controls)

~~~
nitrogen
_And there is no shortage of people out there who would not think twice to
blow things up._

I think this may be the essential flaw in the logic that says we should be
dead by now. Maybe there _is_ a shortage of people who want to blow things up
without thinking.

~~~
qwtel
I think survivorship bias is the central flaw in "why aren't we dead by now".
If survival depends on an event not occurring, I'd be extra careful in
estimating its odds.

~~~
tamana
How many nuclear power plants have been blown up by hackers? For whatever
reason, civilizations suffer incredibly small damage relative the amount of
technical insecurity. The worst destruction comes from large scale war, not
attacks.

------
reimertz
I just spent two hours trying to get in contact with the owner of a small
Swedish hydropower plant that had an open vnc connection, where anyone could
turn on/off generators, open the damn completely etc.

Once I got in contact with him, this is the conversation we had:

1\. I explain the critical situation

2\. he pretends there's a bad reception and ask for my number and quickly says
'I'll call you tomorrow'

3\. I explain that I am not trying to sell him anything and that I spent 2
hours to find him to tell him about how anyone can control his powerplant

4\. He nonchalantly ignores my warning and says "I have two powerplants that
you can control like this, nothing to worry about."

5\. I try to explain that a LARGE group of people now know about his
powerplant and that I could garantuee that people will login and tamper with
it

6\. "Hmm, it is a really bad reception here right now, i'll call you
tomorrow.'

7\. Click

What the actual fuck!

~~~
jay_kyburz
Get his attention. Open the Damn! :)

~~~
reimertz
Naah, will not do that.

People in Sweden made that joke as well. Kind of worried I will get in trouble
legally because of this. If there is gonna be any issues with the damm, he
will probably blame me. :(

~~~
lerpa
Should have recorded the call, if he said that is not a problem then I guess
it's like you're not trespassing at all.

------
tptacek
Your periodic reminder that under US law, you do not have to somehow get past
a login page to be exceeding authorized access to a computer system. A
prosecutor needs only to show that a reasonable person, looking at the same
computer system, would have known they had no authorized access to it.

That makes things like this a pretty bad idea. At least, in the US.

~~~
1x0123
at this moment we got 91 reports from random companies claiming we breached
their networks, i guess they gonna force us to take it down since they are so
fucking stupid to add a 8 digits password to their vnc server! lolz

~~~
mtmail
I think you don't understand tptacek's remark. It doesn't matter if they have
setup passwords or not.

~~~
tt44
It is quite apparent that he most likely isn't an American and is well aware
of what he's doing.

------
foota
There seems to be an accompanying blog post:
[http://hahasecurity.blogspot.com/2016/03/hack-millions-of-
de...](http://hahasecurity.blogspot.com/2016/03/hack-millions-of-devices-
with-0-skills.html)

------
synaesthesisx
I saw patient data for a some healthcare provider (including patient date of
birth, phone # and addresses) and corporate emails that are obviously not
intended to be public. Wow

EDIT: It looks like a pediatrician's practice too - so all those patients are
children. And all their information is just out there in the open....this
doctor needs to be contacted asap and secure their system.

~~~
joenot443
I think I saw the same one, seems to be a place near LA. Pretty scary stuff.

------
kbenson
Today I learned that Chinese (Japanese?) character support in terminals looks
way cooler than western fonts[1].

[http://vncroulette.com/images/115.218.120.95.jpg](http://vncroulette.com/images/115.218.120.95.jpg)

~~~
feiss
It seems Japanese to me. Nice..

~~~
digi_owl
Thing is that Japan has 3 systems they use, chinese characters, their own
characters, and latin characters. Makes for one heck of a learning curve.

------
tapp
Agree that it's simultaneously fascinating and alarming.

Does anyone know what exactly this is?:
[http://vncroulette.com/images/176.64.166.110.jpg](http://vncroulette.com/images/176.64.166.110.jpg)

~~~
semi-extrinsic
It's in Swedish, looks like a status display for the post-combustion part
(smoke cleaning) of some industrial process, maybe cement production?

The worst one I've found so far is this

[http://vncroulette.com/images/85.117.223.103.jpg](http://vncroulette.com/images/85.117.223.103.jpg)

which appears to be _controls_ for a small hydropower plant, also in Sweden.

A few other bad ones I spotted include lots of industrial refrigerators, small
scale wind power (mainly German), an oil futures trading platform, a fire &
gas alarm system control, and someone's Outlook open with some customer
complaint emails.

Edit: oh, and there was a Tesco checkout register (although closed).

~~~
__account__
[http://vncroulette.com/images/90.16.192.69.jpg](http://vncroulette.com/images/90.16.192.69.jpg)

This seems like a French hydroelectric plant :/

~~~
semi-extrinsic
Looks like that one also has start/stop controls (yellow square buttons top,
left of centre)...

------
smilekzs
[http://vncroulette.com/index.php?picture=87](http://vncroulette.com/index.php?picture=87)

"Please secure your VNC!"

EDIT: Also:
[http://vncroulette.com/index.php?picture=270](http://vncroulette.com/index.php?picture=270)

"Upgrade your VNC Server license in order to benefit from premium security
features ..." "An anonymous user has connected. Number of connected users: 1"

~~~
r0muald
The second one has also TeamViewer for, you know, extra security features.

------
cure
[http://vncroulette.com/index.php?picture=193](http://vncroulette.com/index.php?picture=193)

I'm glad this screen is sanitized regularly.

~~~
borplk
I've seen this in airport toilets before

------
hyperion2010
For those who havn't seen Dan's talks before:
[https://www.youtube.com/watch?v=5cWck_xcH64](https://www.youtube.com/watch?v=5cWck_xcH64)

~~~
krylon
Some of the things he found would allow a malicious person to do some real
damage, that part is terrifying. But it's also really funny, so I'll go with
that.

~~~
digi_owl
As the Germans call it, schadenfreude.

~~~
krylon
Weeeeell, if somebody turned of the cooling of a warehouse full of shrimp,
that would be kind of funny (except for the poor people who live downwind and
have to cope with the smell...).

If somebody turned off the backup power supply of a hospital, that would be
slightly less funny.

(Full disclosure: I am a native German speaker, so the concept of
Schadenfreude is quite familiar... even though I try to refrain from enjoying
others' misfortunes, unless they were really, really asking for it, for
example by hooking up their shrimp warehouse's climate system to the Internet
without even password protection...)

------
cenal
What unfortunate timing for this poor guy who is now forever captured having
dissapointed his client:
[http://vncroulette.com/images/14.97.72.37.jpg](http://vncroulette.com/images/14.97.72.37.jpg)

------
Phil_Latio
[http://vncroulette.com/index.php?picture=1%27](http://vncroulette.com/index.php?picture=1%27)

~~~
jaflo
"is a fake SQL injection error page"
[https://twitter.com/1x0123/status/713879106614636545](https://twitter.com/1x0123/status/713879106614636545)

~~~
1x0123
is fake error generated in the php we are runing , we have so many hacking
attempts like this , & even our site don't have a SQL database is runing on
flat files as a server ! thanks for your point

------
pavel_lishin
Found a big honkin' list of patients, with names, dates of birth and
addresses: [http://i.imgur.com/VYRgP20.jpg](http://i.imgur.com/VYRgP20.jpg)
(image has information redacted).

If we want to raise awareness of this issue, this might be an appropriate use
of "won't somebody please think of the children".

------
chrisper
[http://vncroulette.com/images/194.218.45.214.jpg](http://vncroulette.com/images/194.218.45.214.jpg)
this one is rather interesting.

~~~
agumonkey
It's scary, like a SCADA cpanel.

~~~
lovelearning
It is. This one seems to be some kind of electrical station:

[http://vncroulette.com/index.php?picture=10](http://vncroulette.com/index.php?picture=10)

~~~
anthk
That's from Telefonica. It could be related to cable TV.

~~~
lovelearning
Looks like these URLs are not permalinks. Yesterday, this URL was showing
something with two electrical pylon icons and rather large numbers like 9,000
kWh. Today, it's changed to some TV thing like you said.

------
lossolo
We need to change the name of IoT to IoZ (Internet of Zombies) because most of
them will end up as zombie in someones botnet.

~~~
maaku
Internet of someone else's things.

------
Pxtl
[http://vncroulette.com/index.php?picture=7](http://vncroulette.com/index.php?picture=7)

The horn button on this one is tempting. Not "go commit a felony" tempting,
but still.

[http://vncroulette.com/index.php?picture=17](http://vncroulette.com/index.php?picture=17)

That one looks to have some root term open.

------
zebogen
This isn't roulette. It's a slideshow.

------
1x0123
this is not a honeypot is for research stuff & to bring a security awareness,
please contact me at twitter.com/1x0123 if you found something should be
remove from the site

~~~
Pxtl
[http://vncroulette.com/index.php?picture=1%27](http://vncroulette.com/index.php?picture=1%27)

Poster above noted an implied SQL injection vulnerability in your site.
Somewhat ironic, eh?

~~~
takeda
apparently fake:
[https://twitter.com/1x0123/status/713879106614636545](https://twitter.com/1x0123/status/713879106614636545)

------
cm2187
_One moment, We are checking your browser to verify that you are not a
bot....._

Couldn't get passed that.

------
digi_owl
I wonder how many installs date from before the facility was put online, or
are online because someone plugged something in that acts as a router without
anyone's knowledge.

Meaning that this happened over years, if not decades, because admin A left
and admin B was not informed that some box somewhere is serving up something
for the general internet net to see.

------
api
I see things that look alarmingly like industrial control. Who leaves wide
open unpassworded VNC?

~~~
shurcooL
I can only guess it's people who think of their IP as a password. Like, who's
going to guess the IP, right.

~~~
cjmoran
I have to ask, how does one come across such open servers? Do you just try
common ports on random IP addresses until you find one that works?

~~~
zanny
There are only 4 billion IPV4 addresses. Just iterate port 5900 until you get
a response, bam, VNC server.

------
markbnj
Sad and fascinating. Couldn't stop clicking. Way to go San Jose State, getting
in there three times is an achievement.

------
milesf
I think we need some sort of awareness day for the general public to
understand what internet security _really_ is. Whenever I see news reports,
it's always cast as "hackers broke in to..." such and such. Yet if some brick-
and-mortar business is robbed because the owner left the front door unlocked,
people would rightfully put the onus mostly on the store owner.

EDIT: Wow. I'm being modded into the basement. When did Hacker News become so
PC? Victim-blaming? Seriously? The VNC connections illustrated on this site
are that way because of incompetence and ignorance. The reason there are no
unlocked brick-and-mortar businesses is because it is due diligence to protect
one's assets from not just criminals, but simple mischief.

~~~
ekianjo
> Yet if some brick-and-mortar business is robbed because the owner left the
> front door unlocked, people would rightfully put the onus mostly on the
> store owner.

No, there were days when people did not even lock their cars and their houses
(but maybe you are too young to have known that time where you live) because
it was not expected that anyone would actually rob anything. Especially in
communities where everyone knew everyone else. And if a robbery happened, the
blame would still have been put on the thief, not the owner.

~~~
stickfigure
_there were days when people did not even lock their cars and their houses_

These are still are such days. There still are thousands of communities, even
in California, where you can get away with this. The difference is not time
but population density. There was probably never a time when you could leave
your home unlocked and unguarded in urban cities.

~~~
galfarragem
_> >The difference is not time but population density. There was probably
never a time when you could leave your home unlocked and unguarded in urban
cities._

There was and not so long ago (e.g. 40 years ago in Portugal or Poland.
Probably many other countries). So I would change your statement:

 _The difference is not time but population density and specially politics
/religion._

~~~
SixSigma
What did those people have that was worth stealing ? Plates, spoons and linen.

------
dc2
Anyone want to turn the mic up at the ongoing lecture at the University of
Connecticut?

[http://vncroulette.com/index.php?picture=429](http://vncroulette.com/index.php?picture=429)

------
reimertz
One of these ip addresses where still reachable. Seems to be an desk computer
taking order for pharmaceuticals, I could see a clerk write a persons name,
what he ordered, everything!

Just awful! I tried to figure out what company it was and how I how to reach
them, but nope, couldn't find anything..

This is why I just want to hide under a rock, since it is obvious that a lot
of people doesn't know how to protect the data they have collected about me.

~~~
1x0123
i guess you know my feeling, you just found a reachable ip ? i get like 100
online machines every fucking single day! how bad it could be bro?

------
capote
Lots of humans are Chinese.

~~~
droidist2
Yes, about 19% (dropping though)

[https://www.wolframalpha.com/input/?i=total+chinese+populati...](https://www.wolframalpha.com/input/?i=total+chinese+population+%2F+total+world+population)

~~~
capote
It's fascinating.

------
zhte415
TIL:

Many UIs for industrial control systems are very simple.

Ubuntu is more prevalent than I would have imagined.

~~~
jle17
I don't think Ubuntu and Linux desktops prevalence in open VNCs is indicative
of prevalence. They definitely seem to be over-reprensented in the various
exemples I've seen of publicly accessible VNC servers, I would be curious to
know why.

Maybe there are more users on Linux who know how to setup a VNC server or
maybe some popular VNC package has bad security defaults ?

------
dc2
Some interesting metadata:

The dates on the screenshots range from 31 December 2015 to 5 March 2016, with
many at either the beginning or end of February.

The computer name of the hacker doing this also appears to be
"want.some.vodka".

[http://vncroulette.com/index.php?picture=439](http://vncroulette.com/index.php?picture=439)

~~~
ctpide
pretty sure that's the name of the computer not the person login into the
computer.

------
krylon
This reminds me of a program I once wrote when I first learnt SQL, a sort of
randomizing port scanner that would just try random combinations of hosts and
ports and store its results into a database.

Later, I added stuff like attempting AXFR zone transfers, which was
interesting, and I came across some university that apparently had no
firewalls in place whatsoever.

I found a few devices with open telnet ports, mostly printers. I remember
clearly the thrill I felt when I realized I could make this printer refuse any
print jobs or remove jobs from its queue.

I also found a few devices I had no clue about. The latter where the ones I
found most fascinating, although I never took the trouble to research what
those devices might have been. I suspect, though, that nowadays there must be
a whole lot more of such devices around, with IoT and all that.

(My scanner never looked at VNC or RDP, though... This site makes me wish I
had thought of that.)

------
golergka
[https://www.dropbox.com/s/eusw515pxqzu8sk/Screenshot%202016-...](https://www.dropbox.com/s/eusw515pxqzu8sk/Screenshot%202016-03-27%2014.52.31.png?dl=0)

OK, this looks like a system that really shouldn't have a security flaw like
this

------
nommm-nommm
[http://vncroulette.com/index.php?picture=536](http://vncroulette.com/index.php?picture=536)

"Upgrade your VNC server license in order to benefit from _premium security
features_ and performance enhancements."

------
nodesocket
Scary, here is a screenshot showing very sensitive patient information from
practicefusion. Just because VNC is open, doesn't give you the right to show
everybody in the world. I'm torn about this site.

* Removed the link to the screenshot

------
chvid
I cannot seem to connect to any of them? Are they all still supposed to be
open on port 5900?

~~~
jle17
Tried to telnet on port 5900 of three or four of them, one was definitely
still open.

------
bpicolo
The fourth one it shows me appears to be a medical records database. Wowzerz

------
neom
The xray machine is good:
[http://vncroulette.com/index.php?picture=502](http://vncroulette.com/index.php?picture=502)

(I'm obsessed with this)

------
sergers
i wouldn't be of surprised if something so simple was the "hack" that affected
water treatment plants in various articles on HN last couple of weeks.

------
neom
[http://vncroulette.com/index.php?picture=134](http://vncroulette.com/index.php?picture=134)
is wild.

~~~
skeletonjelly
What is that green thing on top?

~~~
mrweasel
The round bit? That's a heavy tarp, it's put over fermenters with biomass
(pigs poop or similar), as the biomass ferments the tarp balloons up, due to
the generated gas. The gas can be extracted later and used in power plants.

------
azinman2
Ok this is really bad -- one of the machines/images is showing a practice
fusion terminal with PII revealed -- a huge HIPAA violation.

------
ams6110
Some of these seem old. I saw one that looked like some kind of industrial
status dashboard but the date/time displayed on it was from 2015.

------
andy9775
Even though most of these probably have read only access, the fact that its
even there shows that the person that set it up didn't have security on their
mind. Sure you may not be able to do anything via VNC, but what about other
attack vectors on these services? Are they updated, is the os up to date, is
it using easy usernames/passwords so you can ssh in for example?

------
ladzoppelin
This is really bad software design. Unreal. The person who put it on those
SCADA machines are long gone. Now what?

------
bitJericho
I'm seeing someone's checking account. Maybe even a banking system. Not
logging into that!

------
robotmachine
Well, this made me do a sweep on my servers to make sure I didn't have VNC
running. Tag as PSA!

------
superkuh
In case anyone is wondering there are 540 images before it loops back to the
first image.

------
sidcool
Late to the party and a noob. Can someone explain a bit about what this is all
about?

~~~
Jaruzel
VNC Server is an application that allows you to have remote access to my PC.
Once installed you can use any other PC (or a phone/tablet) that has the
client VNC software installed to connect to it and remotely login as if you
were sitting in front of it. VNCRoulette is a site that is scanning for these
servers on the Internet, logging in, and taking a screenshot of the desktop.
VNC can be secure with an extra logon password, but a lot of systems and users
don't bother. It's this vulnerabiltiy that VNCroulette is exploiting. Most of
the PCs it's connecting to are 'read only' so the remote access can only see
the desktop and not interact with it, but a good many are read/write with no
restrictions.

~~~
sidcool
Whoa! Thanks! Shouldn't these also be notified of the vulnerability? Some of
the screen shots look sensitive information.

------
GTP
I appreciate the effort to imporve security awareness, but is such a website
legal?

~~~
secant
Think of it this way. Is browsing to a random HTTP address via IP on the
internet and then screencapping the picture produced on your browser legal?

Then using a VNC client in the same way would fall under the same legal
purview. I think as long as there is no interaction to carry out functions,
attempt password/username combos, then it's fairgame.

~~~
pavel_lishin
A prosecutor armed with the CFAA would probably disagree with you.

Browsing to an address with your browser is like checking to see whether a
shop on main street is open right now. Attempting to connect to a an address
with VNC is more akin to walking around the back of a house and checking if
the rear door is locked or not.

------
whatgoodisaroad
I'm a bit confused how what appears to be an Apple TV would show up here.

[http://vncroulette.com/images/91.146.187.140.jpg](http://vncroulette.com/images/91.146.187.140.jpg)

~~~
kccqzy
There used to be a builtin OS X app called Front Row (in Snow Leopard and
earlier!) that does this.

~~~
arm
Yeah, but I’m pretty sure it wouldn’t show the Apple TV there though.

It seems more likely that that’s a jailbroken Apple TV (2nd generation)
running a VNC server like this:

[http://brandon-holland.com/software/exposed/](http://brandon-
holland.com/software/exposed/)

------
an4rchy
Interesting idea, great/scary to see so many different companies and
industries here.

This looks like it's going to blow up and get some traction before a lot of
people decide to fix this issue with password protection.

------
ctpide
I count 541 examples - I wonder how many more are this easily accessible ... I
hope each and every one of them has been contacted or at least left if message
if possible ...

------
mercora
I wonder if it is possible to read input of other users and/or devices
connected to these computers in read only mode or any mode actually.

------
tyingq
Ugh...the login banner:
[http://i.imgur.com/CpjNoFC.jpg](http://i.imgur.com/CpjNoFC.jpg)

------
aceperry
Amazing to see how much infrastructure is using VNC.

------
sengork
I don't see any of the screens moving. Maybe they are all idle sessions,
however I did not expect that many of them.

~~~
Gaessaki
These are screenshots I think, not live feed.

~~~
sengork
Some do work when connected to via a VNC viewer. Yes the website only displays
dated JPEGs.

------
scastillo
Some of the images seems just fake. It's unlikely to have vnc running on the
MBR:

[http://vncroulette.com/images/84.201.34.211.jpg](http://vncroulette.com/images/84.201.34.211.jpg)

Yeah could be a vm fullscreen but have anyone thought this could be just
random screenshots stolen from somewhere? I can make up a very nice story
about a flying spaghetti monster given google images index.

~~~
kbuck
VMware has a built-in VNC server on both ESX and their desktop virtualization
products.[1]

If you don't configure a password to connect, no password is required.

[1]:
[https://pubs.vmware.com/workstation-9/index.jsp#com.vmware.w...](https://pubs.vmware.com/workstation-9/index.jsp#com.vmware.ws.using.doc/GUID-7172F398-D1DA-4BF2-86F8-BF1C9C2EBFA3.html#GUID-7172F398-D1DA-4BF2-86F8-BF1C9C2EBFA3)

~~~
chungy
QEMU and VirtualBox have VNC servers too. Can be a handy feature.

Why this would be exposed to the public Internet, I have no idea. Maybe some
poor soul was doing this in a combination of being directly plugged in, no
NAT/router in the way, and lack of or weak OS-side firewall.

Speaking of NAT, IPv6 might make these things even riskier, but I hope most
people are running a firewall on their OS. The built-in ones on Windows, Mac,
Linux should all do fine.

~~~
dec0dedab0de
_The built-in ones on Windows, Mac, Linux should all do fine_ Until they need
to legitimately open a service.

------
typon
I'm pretty sure I just had access to an oil well in PA, USA just now. That's
pretty incredibly.

------
x0
this is a horrible thing. does the site really have to include the vnc
server's ip in there as well?

~~~
ATsch
If somebody wants to do evil things with this, they can probably find their
own IPs

------
1x0123
we added new machines please enjoy! clear your browser cache & refresh

------
perlpimp
site is hacked

------
jff
Oh, a pediatrics clinic, very nice (redacted image because it contained _GASP_
addresses and names, like one might find in a phone book)

~~~
synaesthesisx
Can we find information on this clinic and contact them ASAP?

~~~
jff
Tendercare Pediatrics in Huntington Park, CA

~~~
ghostly_s
I've sent a notice regarding this info to what is as near as I can tell the
healthcare company which operates this facility.

[http://www.memorialcare.org/locations/tendercare-
pediatrics-...](http://www.memorialcare.org/locations/tendercare-pediatrics-
huntington-park-7705-seville-avenue)

~~~
jff
Good! Have you heard anything back?

------
radicalman
Wtf one is a control panel for a major South Korean nuclear powerplant!? How
is this site getting these snapshots?

~~~
Pxtl
Open vnc remote control servers. Point vnc at the address up top and you can
remote control the computer. And commit a felony, so don't do it.

Edit: apparent read-only vnc is a thing so many of these are probably
harmless.

