1 Reply Latest reply on Nov 10, 2014 9:10 AM by steelbound

    Our colleague is using MRC for spying purpose. What is he doing?

    john.doe.elsa

      There's a lots of communication on 49155 port, but I cant guess what is he doing. I cant find started mrc service on machines that he is communicating with. So what is he doing. Is it possible that he is spying that users. Like I said, there is tons of packets on 49155 tcp port.

        • Re: Our colleague is using MRC for spying purpose. What is he doing?
          steelbound

          Hello,

           

          DameWare does not communicate on port 49155 by default, but it can be configured that way. Also all signs of the active session can be suppressed by tweaking the configuration, so the user would not know he is "spied" on.  But there is no way to hide the DameWare Mini Remote Control Service I am aware of, other than removing it after each connection. Still, while the connection is active (which would be hinted by higher traffic), the service has to be running and visible in services list.

          Outside of active session, try to check the Device Manager / Display adapters, if there is the DameWare Mirror Driver installed, it is a sign of a DMRC presence on the system (however it won't tell you when or who deployed it), but the connection can be established without it also, so absence of MD does not prove that nobody connected to the machine using DMRC in the past.


          Hope this answers your question.

           

           

          V. T.