[Dshield] VNC scanning?

TRushing@hollandco.com TRushing at hollandco.com
Tue Jan 3 20:53:30 GMT 2006

I saw a scan from to TCP port 5900 running through my 8 home 
IPs just a bit ago:

Jan  3 14:04:49 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC= DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=42217 DF 
PROTO=TCP SPT=3447 DPT=5900 WINDOW=16384 RES=0x00 SYN URGP=0 

I'm seeing the same thing on a corporate firewall from a different source 
IP (  Ran through our subnet twice.

Jan 01 2006 13:22:45: %PIX-4: Deny tcp src outside: dst 
inside:a.b.c.d/5900 by access-group "outside"

Looking at the 5900 port stats at 


I see very few sources and a slight target spike on 12/3, though still, I 
imagine, a very low scan level.  Given that, it strikes me as odd that I'd 
see scans on a work site using T-1 and a home site using DSL within a 
short time period.

I did not find any recent announcements of VNC vulnerabilities.  In fact, 
about the only 2005 item I could find was a brief thread at


where class101 AT phreaker.net seems to think he's discovered a number of 
unsecured VNC servers, but the RealVNC person participating in the thread 
seems to think they are full of it.

Tim Rushing

More information about the list mailing list