We have had a report of elevated activity on tcp/5901 and 5900, anyone else observing a significant spike in VNC scans? Richard Porter --- ISC Handler on Duty |
Richard 173 Posts ISC Handler Oct 12th 2013 |
Thread locked Subscribe |
Oct 12th 2013 8 years ago |
I actually found the source of the trouble coming from inside the DC I work in. There was a malicious script running in a screen session on one of our clients servers (AS10439). If you were affected by an IP within this address space, please email me at zwikholm@cari.net. Thanks guys.
Zach W. |
Zach W 10 Posts |
Quote |
Oct 12th 2013 8 years ago |
Thanks for fessing up, Zack, but I thinks its a global thing. Definitely noticed a spike in my firewall for port 5900 hits. Actually did not see any scans from your ASN. Your incident may be just an example of what is going on globally. AS4134 was the biggest offender in my iptables, but I think that is because AS4134 advertises over 600 giant prefixes. Here are the AS's my firewall saw in the spike which indicate there are no favorite regions...more IP space, more hits.
ASN Continent Country 4621 Asia TH 17090 North America US 50613 Europe IS 20454 North America US 42708 Europe SE 25761 North America US 7922 North America US 4134 Asia CN 9848 Asia KR 50613 Europe DE 32475 North America US 30217 North America US 19994 North America US 9931 Asia TH 39743 Europe RO 16265 Europe NL 36493 North America CA 15699 Europe ES 21844 North America US 13768 North America US 17621 Asia CN 4837 Asia CN 8972 Europe DE 18239 Asia CN 10036 Asia KR 9381 Asia HK 30633 North America US Any chance you can post that script and details on the vulnerability it may have used to execute? Perhaps poor VNC credentials? |
Anonymous |
Quote |
Oct 12th 2013 8 years ago |
I've also noticed a higher number of port 5900 attempts against my ShoreWall installation. Most of them were on Oct 10, 2013 from a single IP, 192.241.137.210. This is a sorted uniq list of the sources for that day for destination port 5900:
185.6.80.195 192.241.137.210 203.174.53.92 216.213.84.131 223.252.19.35 59.51.66.175 74.205.222.27 |
LinuxNinja 2 Posts |
Quote |
Oct 12th 2013 8 years ago |
This spike started on 29th September for me. I had over 300 attempts within 3 hours.
Almost all the IP's are registered to South American countries, many IP's LACNIC have reclaimed and have not been re-allocated yet. I would guess that someone at LACNIC are borrowing IP's for abusive purposes. |
Phil 1 Posts |
Quote |
Oct 13th 2013 8 years ago |
We see VNC scanning all the time, of course, but nothing that I would consider out of the ordinary nor "a spike" in the past days/weeks/months.
|
Ken 40 Posts |
Quote |
Oct 13th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!