[Dshield] VNC activity?

Dregier, Leo A. (CMS/CTR) Leo.Dregier at CMS.hhs.gov
Thu Feb 23 16:48:54 GMT 2006

To all:

I believe that it depends on the ports.  They may be identified as
Trojan ports so something of the like.  Do you have the ports for us?


Leo A. Dregier III
Computer Security Incident Response Capability (CSIRC)
- Incident Response Team - Incident Response Lead 

Centers for Medicare & Medicaid Services
Lockheed Martin CITIC Security Team
desk: 443-348-4002
e-mail: Leo.Dregier at cms.hhs.gov 

The contents of this e-mail are confidential to the ordinary user of the
e-mail address to which it was addressed and may also be privileged. If
you are not the addressee of this e-mail you may not copy, forward,
disclose or otherwise use it or any part of it in any form whatsoever.
CMS does not accept responsibility for changes made to any e-mail after
sending.  If you have received this e-mail in error please e-mail the
sender by replying to this message.

-----Original Message-----
From: Jeff Kell [mailto:jeff-kell at utc.edu] 
Sent: Wednesday, February 22, 2006 8:17 AM
To: General DShield Discussion List
Subject: [Dshield] VNC activity?

This is just a quick note about some weird activity on my snort sensor
this morning... five dorm computers suddenly showing signs of a VNC
server, all on different nonstandard ports.  Are the bots now going to
this level of remote control?

Haven't seen IRC activity from these hosts, so this could be anything. 
Will have more time to check when I get to the office.  But it is weird
to see a very definite VNC-like response from so many hosts at once, out
of the blue, on a nonstandard port.

Of course MacOS remote admin also looks like this, so it may be trolling
for Macs, due to recent exploits.  I would expect that on the usual port
though (5900).


More information about the list mailing list