[Dshield] VNC Scanning again

TRushing@hollandco.com TRushing at hollandco.com
Wed Jan 4 20:00:59 GMT 2006

I've just seen a third VNC scanning hit.  I had posted a message to the 
list yesterday, but it hasn't been released yet.

Since the new year started, I have seen 3 different scans for tcp 5900 at 
two different sets of public IPs.  One is a full Class C, which I've seen 
scanned twice.  The other is just a DSL with 8 IPs attached.

Looking at the DShield/ISC port report, we have less than 200 machines 
actively scanning tens or hundreds of thousand distinct targets each day.


There was a spike on 31 Dec 2005.  For that day, again according to ISC, 
it was the 5th most scanned port when sorting by unique destinations:


        Reports  Sources  Targets

1433    420139   4214     118072
80      538623   23144    113745
1434    746252   6884     113243
3306    269707   400      111795
5900    425612   152      110984 

It's 18th on 1 Jan
4th on 2 Jan
11th on 3 Jan
16th on 4 Jan

With a scan prevalence like that, you'd think that I would have seen more 
examples.  For most of the other top 10, I have many examples in my logs, 
but since 1 Jan, I have only 3 examples from two sites.  Is someone 
systematically working their way through the IP space and that's why I 
have only recently seen scans?

Jan  3 14:04:49 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC= DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=42217 DF 
PROTO=TCP SPT=3447 DPT=5900 WINDOW=16384 RES=0x00 SYN URGP=0 

Jan 01 2006 13:22:45: %PIX-4: Deny tcp src outside: dst 
inside:d.c.b.a/5900 by access-group "outside"

Jan 04 2006 04:34:52: %PIX-4-106023: Deny tcp src 
outside: dst inside:d.c.b.a/5900 by access-group 

Whois makes all three IPs appear to be US broadband accounts--likely 
zombie machines.  But, if someone is using zombies, why only scan from so 

Tim Rushing

More information about the list mailing list