Ghosting from remote

Is there a way to find out if there is Ghosting going on in my computer?

What is Ghosting?

I know this was from a few months ago, but here is some advice for that user…

I think “ghosting” may be an incorrect term. I think of ghosting as making an image of a hard drive using ImageX or Norton Ghost… You are probably asking about someone remoting in to your session using something like GenControl that creates a VNC session without you knowing that someone is viewing your live desktop session.

Anyway, you can start by going to the command line and entering netstat -a -b

The process name is in brackets. Look for anything that says “vnc” or a process running on the 5900 port. 5900 (or 5800 on some) is the default port for vnc and it can easily be changed on the viewer side, so this would just be a first step.

Look up any process that you are unfamiliar with.

Remember that this port will be open only if someone is connected. To be proactive about it, just go in to your firewall and block 5800 and 5900.



One or the other of multiple flavors of vnc are not the only one for remote control.

On the “paying side”, radmin is well known to a point where most of malware robots scan its defaut port (4899), but nowadays softwares like Teamviewer are largely more generalized then vnc.

But you are right for one point: if using one of these softwares with a viewer side (vnc, radmin…) the first thing to do is definitely to set them to listen to a non-default port (and of course with a password).

You are also maybe making a (dangerous) confusion when speaking of “some” in vnc 5900 and 5800 port attributions, as it such an event was randomized.

5900 (and following 590x if running in a LAN) are dedicated to vnc viewer whereas, like in Teamviewer, 5800 is the port for http connexion using the java machine, and therefore most certainly the largest threat because it can potentially run on whatever computer with no other specific software but the very common java machine.

Agreed. Any port could be used for running a remote viewing process, however, I do not believe that I trivialized the question. Absolutely, a good “first step” would be to check the open ports.

I also made the assumption that it would not have been a malicious, but rather someone local viewing the session (parent, sibling, coworker, etc.) If there is someone remotely viewing your session from a non-local location or with malicious intent, the scope of the answer is far beyond the question of “how can I tell if someone is ghosting…?”

So, to further my original suggestion, I would simply say that if you feel that your session is being remotely viewed, then please remove your computer from the network until you can get more information from on this or any other forum, or from an on-site professional.

brucine, I am a bit confused as to the point of your post… Is your suggestion for Mastersage to simply look for other ports than those in the 5800, 5900 ranges, or is your point that you do not know of a way to detect if a computer is viewing your session because the port used is randomized?


Ports 5800 and 5900 are not a threat from vnc itself, but from malware trying to use these ports, and the reason for never using them if running vnc; but of course, if one has not vnc viewer or server installed on his computer, if using a correct firewall, there shall be nothing like an open or visible 5900 port.

Excepting maybe remote connexion softwares using port 80 and the java machine, none of these softwares can by default connect to a computer without the local user being asked to allow it (mail, password, clicking something…) or seeing the remote action (windows and mice moves…).

And even in such a situation, e.g. Teamviewer does not connect TCP in to your local computer (thus no possible action from the firewall), but both computers TCP out port 80 to the Teamviewer server (no one actually controls TCP out port 80 from his browser); nevertheless, a HIPS equipped firewall shall detect that not your browser itself, but some other software controlling it wants to access port 80 TCP out.

There’s as a conclusion almost no chance of someone getting hacked by remote control without noticing it if he physically is in front of his computer.

The second conclusion is that the threat arises if one of these services is running in background when you are not in front of your computer: one should never run any of these as a service and/or start them with Windows, and every relevant service should be disabled, reminding that the major threat is not these third-party softwares, but default activated Windows services (Remote desktop and help, MSN, Telnet, Dialing services…).