[Intrusions] FYI - X11 scanning

[Andrew Daviel]

FYI

Recently we have seen some scanning for X11 service from offsite, and
most recently a compromised machine was found with some of
these tools (xscan,pscan) running.

We still have some legacy thin clients (NCD X-terminals) which cannot
easily be secured (filters must be entered manually using numeric
addresses one-by-one, no ranges allowed, so locking down a public
terminal is almost impossible), and X11 client (well, servers in X
terminology) software on Windows that prompt users to allow access from
whereever, so finally decided to block this service at the periphery.

Another example of something that was known about but not thought to be a
problem ... X11 did not seem to be interesting to script kids.

Nowadays X11 is most conveniently and transparently tunnelled through
SSH between Unix boxes (or Windows machines running a 3rd-party X
server), but the old NCD terminals do not support SSH, and some
platforms e.g. VMS supported X and SSH but not the easy tunneling, and we
needed offsite access to graphical applications.
Unrestricted X11 is subject to relatively simple remote screen capture
and keystroke logging attacks; the NCD terminals could also be used to
proxy traffic past a firewall as I recall...

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security at triumf.ca