[Dshield] VNC Scanning again
TRushing at hollandco.com
Wed Jan 4 20:00:59 GMT 2006
I've just seen a third VNC scanning hit. I had posted a message to the
list yesterday, but it hasn't been released yet.
Since the new year started, I have seen 3 different scans for tcp 5900 at
two different sets of public IPs. One is a full Class C, which I've seen
scanned twice. The other is just a DSL with 8 IPs attached.
Looking at the DShield/ISC port report, we have less than 200 machines
actively scanning tens or hundreds of thousand distinct targets each day.
There was a spike on 31 Dec 2005. For that day, again according to ISC,
it was the 5th most scanned port when sorting by unique destinations:
Reports Sources Targets
1433 420139 4214 118072
80 538623 23144 113745
1434 746252 6884 113243
3306 269707 400 111795
5900 425612 152 110984
It's 18th on 1 Jan
4th on 2 Jan
11th on 3 Jan
16th on 4 Jan
With a scan prevalence like that, you'd think that I would have seen more
examples. For most of the other top 10, I have many examples in my logs,
but since 1 Jan, I have only 3 examples from two sites. Is someone
systematically working their way through the IP space and that's why I
have only recently seen scans?
Jan 3 14:04:49 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC=
SRC=220.127.116.11 DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=42217 DF
PROTO=TCP SPT=3447 DPT=5900 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 01 2006 13:22:45: %PIX-4: Deny tcp src outside:18.104.22.168/50508 dst
inside:d.c.b.a/5900 by access-group "outside"
Jan 04 2006 04:34:52: %PIX-4-106023: Deny tcp src
outside:22.214.171.124/17772 dst inside:d.c.b.a/5900 by access-group
Whois makes all three IPs appear to be US broadband accounts--likely
zombie machines. But, if someone is using zombies, why only scan from so
More information about the list