Network Disruptions: VNC and TCP Port 5405

In an article yesterday entitled A glitch in the Matrix, or a hungry exploit?, reporters at The Register were asking about Internet outages. This article seems to suggest that TCP port 5901 (VNC) scanning is to blame. VNC is Virtual Network Computing, a way of accessing one’s PC from another using simple software. It’s much like GoToMyPC, Remote Desktop, LogMeIn, and other such services, only it’s free and cross platform, and also open source. Implementations have had bugs (ie buffer overflows, see the sidebar on that service report to see what’s up with VNC vulnerabilities over the past few years) and, of course, you can always brute force your way into the box via weak passwords. It’s a longstanding attacker favorite. Such an increase in traffic wouldn’t be out of the blue, it would probably be associated with an aggressive botnet.

So, do we see a similar rise in attacks and traffic? No. ATLAS reports a 181% rise over the 24 hours ending July 1 in VNC attacks on TCP ports 5900 and 5901 (about a 2 to 1 ratio between the two), and a 1100% rise in TCP port 5901 scanning over that 24 hour time period.

vnc_attacks_week

VNC attacks over the past week. Red bars are attacks on TCP port 5900, blue bars are attacks on TCP port 5901.

However, this still dwarfs in comparison to SMYC06-010 scanning and MS SQL attacks (#1 and #2 on July 1, respectively; VNC attacks are #3 on July 1, and quite often a top 5 attack in ATLAS). VNC scans on TCP port 5901 are not in the top 5 for July 1.

tcp_5901_scans_week

TCP port 5901 scans over the past week. The different colors are different sources. While we see a spike over the weekend, this is inconsequential compared to the other, more dominant scans in this timeframe.

Other folks are now asking what’s up with TCP port 5405. In short, we see nothing up with it in the past 24 hours.

tcp_5405_scans_week

TCP port 5405 scans from the past week. Two different sources committed a few scans, but nothing serious. This pales in comparison to the other services scanned in this timeframe.

So, looking at ATLAS for answers to these questions, I see nothing to worry about right now. This is exactly one of the reasons we built ATLAS the way we did and structured the reports how we did. As an analyst, I need to see stuff in context with other activities and not in isolation, because it’s easy to see a spike and begin to worry. Secondly, we needed to disambiguate scans and attacks from random packets, and we do. Finally, background information about a service, including vulnerabilities and known applications, is also a valuable timesaver. It’s all about streamlining my workflow.

One Response to “Network Disruptions: VNC and TCP Port 5405”

July 03, 2007 at 11:23 pm, Carl said:

Hello Jose,

I was the author of the original report, which was released mid-afternoon GMT on 30 June, in the midst of the irregularities noticed over at the Internet Traffic Report. The reason why I raised the question about what could be responsible was that there was nothing that we could see as being responsible for such a significant lengthy deviation (compared to the normal traffic deviation of 3-4 hours).

I suggested 5901 as a possible (note the use of the word possible) cause, given the Top 10 ISC trend, and the availability of a full remote code execution exploit a few days prior. I wasn’t convinced that it was the cause, given that Europe and the US were effectively left out of the traffic deviation.

I have read many of the comments that this has generated across the net and wrote a quick summary (http://www.beskerming.com/commentary/2007/07/04/200/A_Quick_Update_on_Global_Internet_Traffic_Observations) which indicates that there is no observed cause for the deviation, which has now effectively disappeared. I am glad that ATLAS has shown its value in corroborating this information.

I am fully aware of the risks of over-reacting to spikes and dips, along with variation of traffic to various ports, but this seemed out of the ordinary, with no readily available cause. The link to 5901 was more of a loose inference than a formal link.

Thanks for taking the time to respond to the issues raised in my report.

Comments are closed.