Port 5901 scanning
Last Updated: 2007-07-03 22:28:54 UTC
by Maarten Van Horenbeeck (Version: 1)
Will the internet come to a grinding halt on July 4th ? Should we start preparing the first 'crackberry' detox centres? Not really. However, according to media reports something does seem to be amiss. Some outlets have reported on the major increase in port 5901 scanning we're seeing in our (your) logs. This increase is not uncollaborated. Others are reporting very similar increases.
Port 5901 is generally used as the first VNC (Virtual Network Computing) display on Linux machines, and the second one on Windows hosts. There are a number of popular implementations of VNC, of which the most popular are UltraVNC, TightVNC and RealVNC. A number of recent security vulnerabilities have added incentive for attackers to start indexing hosts running this service. In 2006, for example, RealVNC allowed authentication bypass, while UltraVNC was plagued by a number of buffer overflow vulnerabilities.
No reason for panic just yet. It likely indicates attackers may have been succesful in compromising a number of hosts using vulnerabilities in this service, increasing their belief in VNC as a viable attack vector. It could also indicate the release of new attack tools.
As such, if you notice any machines on a network under your control scanning for port 5900 or 5901/TCP, we'd be very interested in hearing what the result of your investigation was. Did you find any new tools, or was it the same old "VNC_bypauth" ? Get in touch with us here. Thanks!