[Dshield] VNC scanning?
TRushing at hollandco.com
Tue Jan 3 20:53:30 GMT 2006
I saw a scan from 18.104.22.168 to TCP port 5900 running through my 8 home
IPs just a bit ago:
Jan 3 14:04:49 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC=
SRC=22.214.171.124 DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=42217 DF
PROTO=TCP SPT=3447 DPT=5900 WINDOW=16384 RES=0x00 SYN URGP=0
I'm seeing the same thing on a corporate firewall from a different source
IP (126.96.36.199). Ran through our subnet twice.
Jan 01 2006 13:22:45: %PIX-4: Deny tcp src outside:188.8.131.52/50508 dst
inside:a.b.c.d/5900 by access-group "outside"
Looking at the 5900 port stats at
I see very few sources and a slight target spike on 12/3, though still, I
imagine, a very low scan level. Given that, it strikes me as odd that I'd
see scans on a work site using T-1 and a home site using DSL within a
short time period.
I did not find any recent announcements of VNC vulnerabilities. In fact,
about the only 2005 item I could find was a brief thread at
where class101 AT phreaker.net seems to think he's discovered a number of
unsecured VNC servers, but the RealVNC person participating in the thread
seems to think they are full of it.
More information about the list