[Dshield] VNC Scanning again

TRushing@hollandco.com TRushing at hollandco.com
Wed Jan 4 20:00:59 GMT 2006


I've just seen a third VNC scanning hit.  I had posted a message to the 
list yesterday, but it hasn't been released yet.

Since the new year started, I have seen 3 different scans for tcp 5900 at 
two different sets of public IPs.  One is a full Class C, which I've seen 
scanned twice.  The other is just a DSL with 8 IPs attached.

Looking at the DShield/ISC port report, we have less than 200 machines 
actively scanning tens or hundreds of thousand distinct targets each day.

http://isc.sans.org/port_details.php?port=5900

There was a spike on 31 Dec 2005.  For that day, again according to ISC, 
it was the 5th most scanned port when sorting by unique destinations:

http://isc.sans.org/port_report.php?l=20&a=0&s=targets&d=desc&date_month=12&date_day=31&date_year=2005

        Reports  Sources  Targets

1433    420139   4214     118072
80      538623   23144    113745
1434    746252   6884     113243
3306    269707   400      111795
5900    425612   152      110984 

It's 18th on 1 Jan
4th on 2 Jan
11th on 3 Jan
16th on 4 Jan

With a scan prevalence like that, you'd think that I would have seen more 
examples.  For most of the other top 10, I have many examples in my logs, 
but since 1 Jan, I have only 3 examples from two sites.  Is someone 
systematically working their way through the IP space and that's why I 
have only recently seen scans?

Jan  3 14:04:49 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=66.115.9.14 DST=a.b.c.d LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=42217 DF 
PROTO=TCP SPT=3447 DPT=5900 WINDOW=16384 RES=0x00 SYN URGP=0 

Jan 01 2006 13:22:45: %PIX-4: Deny tcp src outside:68.223.195.98/50508 dst 
inside:d.c.b.a/5900 by access-group "outside"

Jan 04 2006 04:34:52: %PIX-4-106023: Deny tcp src 
outside:66.80.175.2/17772 dst inside:d.c.b.a/5900 by access-group 
"outside"


Whois makes all three IPs appear to be US broadband accounts--likely 
zombie machines.  But, if someone is using zombies, why only scan from so 
few?

Tim Rushing


More information about the list mailing list