Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Port 5901 scanning SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 5901 scanning

Will the internet come to a grinding halt on July 4th ? Should we start preparing the first 'crackberry' detox centres? Not really. However, according to media reports something does seem to be amiss. Some outlets have reported on the major increase in port 5901 scanning we're seeing in our (your) logs. This increase is not uncollaborated. Others are reporting very similar increases.

Port 5901 is generally used as the first VNC (Virtual Network Computing) display on Linux machines, and the second one on Windows hosts. There are a number of popular implementations of VNC, of which the most popular are UltraVNC, TightVNC and RealVNC. A number of recent security vulnerabilities have added incentive for attackers to start indexing hosts running this service. In 2006, for example, RealVNC allowed authentication bypass, while UltraVNC was plagued by a number of buffer overflow vulnerabilities.

No reason for panic just yet. It likely indicates attackers may have been succesful in compromising a number of hosts using vulnerabilities in this service, increasing their belief in VNC as a viable attack vector. It could also indicate the release of new attack tools.

As such, if you notice any machines on a network under your control scanning for port 5900 or 5901/TCP, we'd be very interested in hearing what the result of your investigation was. Did you find any new tools, or was it the same old "VNC_bypauth" ? Get in touch with us here. Thanks!


158 Posts
Jul 3rd 2007

Sign Up for Free or Log In to start participating in the conversation!