[nsp-sec] VNC scanning
Gong, Yiming
Yiming.Gong at xo.com
Fri Oct 30 18:36:13 EDT 2009
The following list shows the number of uniq src ip scanning port 5900 hitting our darkIP for the past 8 days, the number did not go up a lot.
+------------+--------------+
| date | Distinct sip |
+------------+--------------+
| 2009-10-23 | 739 |
| 2009-10-24 | 391 |
| 2009-10-25 | 298 |
| 2009-10-26 | 367 |
| 2009-10-27 | 96 |
| 2009-10-28 | 412 |
| 2009-10-29 | 770 |
| 2009-10-30 | 682 |
+------------+--------------+
ISC pages show no spike also, http://isc.sans.org/port.html?port=5900
Yiming
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of David Freedman
Sent: Friday, October 30, 2009 4:04 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] VNC scanning
----------- nsp-security Confidential --------
Have caught a box here scanning for VNC servers incrementally (i.e 10.0.0.1:5900, 10.0.0.2:5900 etc..)
managed to send around 2 Million of these SYNs in a netflow 5 minute sampling period.
(around 8K/second)
Is this anything new? Last one I'm aware of was a realvnc exploit earlier this year.
Dave.
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list