[Dshield] VNC scanning?

TRushing@hollandco.com TRushing at hollandco.com
Tue Jan 3 20:53:30 GMT 2006


I saw a scan from 66.115.9.14 to TCP port 5900 running through my 8 home 
IPs just a bit ago:

Jan  3 14:04:49 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=66.115.9.14 DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=42217 DF 
PROTO=TCP SPT=3447 DPT=5900 WINDOW=16384 RES=0x00 SYN URGP=0 

I'm seeing the same thing on a corporate firewall from a different source 
IP (68.223.195.98).  Ran through our subnet twice.

Jan 01 2006 13:22:45: %PIX-4: Deny tcp src outside:68.223.195.98/50508 dst 
inside:a.b.c.d/5900 by access-group "outside"

Looking at the 5900 port stats at 

http://isc.sans.org/port_details.php?port=5900

I see very few sources and a slight target spike on 12/3, though still, I 
imagine, a very low scan level.  Given that, it strikes me as odd that I'd 
see scans on a work site using T-1 and a home site using DSL within a 
short time period.

I did not find any recent announcements of VNC vulnerabilities.  In fact, 
about the only 2005 item I could find was a brief thread at

http://www.realvnc.com/pipermail/vnc-list/2005-June/thread.html#51336

where class101 AT phreaker.net seems to think he's discovered a number of 
unsecured VNC servers, but the RealVNC person participating in the thread 
seems to think they are full of it.

Tim Rushing


More information about the list mailing list