no logs or log files in vino

Thank you for your bug report. The issue is an upstream one and it would be nice if somebody having it could send the bug the to the people writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME)

Seeing as someone just remotely connected to my vino server even though i said only connections via localhost (ssh tunnel). It would have been nice to be able to read vino logs to see wtf was going on.

It appears that I had the same thing happen to me today... vino version 2.28.2-0ubuntu2. I also

Appeared to be someone controlling my desktop - I was able to simultaneously (with the apparent invader) control the mouse pointer and was able to shut the system down. Since vino has no apparent logging system, I don't have any other details. None of my other logs seem to show anything funny going on.

I just had a similar experience. Someone (two IPs) just connected to my machine. I had set only to listen on local network as well and also require a password. First person to connect seemed like a bot scanner and didnt do anything. The IPs first octet was in the 88.x.x.x I believe. Next, a person connected from their residential Internet address a few minutes later and I opened up a text editor to alert the connecting person that I knew what was up. They typed back into my text editor and confirmed that they were human. So, from all this, I am very concerned for a few reasons because there might be some vulnerability being exploited. Here are the things I am considering...

* DMZ host or NAT port forwarding allowed external user to connect to internal interface (was enabled in my case)
* password was guessed (possible)
* someone has 0day to bypass VNC password prompt (improbable, but not totally unlikely given the recent VNC noauth bug that was published)

Only way to find out would be to see some better logging. For instance, did the remote attacker authenticate with a password or not??? And what were the IPs of both connecting users? I will not know now because of the failure to log this information by vino server. If there is a 0day, lots of vino/vnc users are going to be in trouble...

I think this should now be tagged as a security vulnerability since multiple people with complex passwords protecting their Vino servers have been compromised. It makes me think that Vino is vulnerable to the same vulnerability, or something similar, as below.

http://secunia.com/advisories/20107

Logs location under /home/.xsession-error* as follows:

1 - mtavares@ubuntu:~$ cd ~; find ./ -exec grep -il "vino" {} \;|grep xsession|while read line; do grep vino $line; done
vino-server: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.0.

Also and for debugging:

netstat -antp|grep 5900|awk -F" " '{print $7}'|awk -F"/" '{print $1}'|tail -1|while read line; do ps -ef|grep $line; done|grep -v grep|awk -F" " '{print $3}'|xargs sudo strace -p

Regards
Miguel Tavares

@Miguel: These commands may show errors Vino through that caused a problem with execution, but the main issue (at least to me) is there is no logging of when a client connected to Vino (either successfully, or failed password). I would like to know the following:

1: Time of connection attempt
2: Source IP
3: Failed password attempts
4: Successful connection time
5: Connection duration.

Also, these needs to be available via System > Administration > Log File Viewer.

kristian is spot-on; this is a security issue. I can't very well tell folks how secure Ubuntu is if I can't properly audit who's logged into the system remotely via Vino (which is the default Ubuntu VNC server)

BP

I also miss the logging feature from Vino. Today somebody started to control my desktop while I was on mobilenet connection. I was very careless and supposed that I always will use my laptop from behind a nat router. Some months ago I supposed to set up vino temporarily without password and after this I forgot about that. Now while I was on my mobilenet connection without proper firewall set up somebody spotted the open vnc port on my machine and started controlling my desktop remotely. Now I would be very useful to analyze the logs of vino to identify the attacker. I guess there can be a lot of careless users in similar situation with forgotten vino servers who would be curious about the details of attacks since it is gome's default remote desktop tool.

just to add that I experienced a similar issue...

- vnc port was NOT open on the router
- upnp was enabled
- vino was not configured with a password

somebody connected to my pc and was trying to do something with the broadcast accounts - maybe post something to twitter? I'm not sure if it was a bot or a person...

I've since disabled upnp and vino, but would be useful to know further details from a vino log...

Exactly the same as everyone else: forgot about PnP, forgot that vino was enabled. Had an intrusion I spotted, but there's no log.

It's quite unbelievable that vino does not have a log, and I wouldn't call this a wishlist item. I'd call it a critical security issue.

This bug appears to be a huge security problem that allows remote clipboard
access. Vino should be considered insecure and untrustworthy.

References:
  http://www.ubuntu.com/usn/usn-1701-1
On Apr 19, 2012 5:30 PM, "JeffV" <email address hidden> wrote:

> Exactly the same as everyone else: forgot about PnP, forgot that vino
> was enabled. Had an intrusion I spotted, but there's no log.
>
> It's quite unbelievable that vino does not have a log, and I wouldn't
> call this a wishlist item. I'd call it a critical security issue.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/330310
>
> Title:
> no logs or log files in vino
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/vino/+bug/330310/+subscriptions
>