Reported Spike in tcp/5901 and tcp/5900

Published: 2013-10-12
Last Updated: 2013-10-12 02:51:18 UTC
by Richard Porter (Version: 1)
5 comment(s)

We have had a report of elevated activity on tcp/5901 and 5900, anyone else observing a significant spike in VNC scans?

Richard Porter

--- ISC Handler on Duty

Keywords: Scan Activity VNC
5 comment(s)

Comments

I actually found the source of the trouble coming from inside the DC I work in. There was a malicious script running in a screen session on one of our clients servers (AS10439). If you were affected by an IP within this address space, please email me at zwikholm@cari.net. Thanks guys.

Zach W.
Thanks for fessing up, Zack, but I thinks its a global thing. Definitely noticed a spike in my firewall for port 5900 hits. Actually did not see any scans from your ASN. Your incident may be just an example of what is going on globally. AS4134 was the biggest offender in my iptables, but I think that is because AS4134 advertises over 600 giant prefixes. Here are the AS's my firewall saw in the spike which indicate there are no favorite regions...more IP space, more hits.

ASN Continent Country
4621 Asia TH
17090 North America US
50613 Europe IS
20454 North America US
42708 Europe SE
25761 North America US
7922 North America US
4134 Asia CN
9848 Asia KR
50613 Europe DE
32475 North America US
30217 North America US
19994 North America US
9931 Asia TH
39743 Europe RO
16265 Europe NL
36493 North America CA
15699 Europe ES
21844 North America US
13768 North America US
17621 Asia CN
4837 Asia CN
8972 Europe DE
18239 Asia CN
10036 Asia KR
9381 Asia HK
30633 North America US

Any chance you can post that script and details on the vulnerability it may have used to execute? Perhaps poor VNC credentials?
I've also noticed a higher number of port 5900 attempts against my ShoreWall installation. Most of them were on Oct 10, 2013 from a single IP, 192.241.137.210. This is a sorted uniq list of the sources for that day for destination port 5900:

185.6.80.195
192.241.137.210
203.174.53.92
216.213.84.131
223.252.19.35
59.51.66.175
74.205.222.27
This spike started on 29th September for me. I had over 300 attempts within 3 hours.
Almost all the IP's are registered to South American countries, many IP's LACNIC have reclaimed and have not been re-allocated yet. I would guess that someone at LACNIC are borrowing IP's for abusive purposes.
We see VNC scanning all the time, of course, but nothing that I would consider out of the ordinary nor "a spike" in the past days/weeks/months.

Diary Archives