Network Disruptions: VNC and TCP Port 5405
In an article yesterday entitled A glitch in the Matrix, or a hungry exploit?, reporters at The Register were asking about Internet outages. This article seems to suggest that TCP port 5901 (VNC) scanning is to blame. VNC is Virtual Network Computing, a way of accessing one’s PC from another using simple software. It’s much like GoToMyPC, Remote Desktop, LogMeIn, and other such services, only it’s free and cross platform, and also open source. Implementations have had bugs (ie buffer overflows, see the sidebar on that service report to see what’s up with VNC vulnerabilities over the past few years) and, of course, you can always brute force your way into the box via weak passwords. It’s a longstanding attacker favorite. Such an increase in traffic wouldn’t be out of the blue, it would probably be associated with an aggressive botnet.
So, do we see a similar rise in attacks and traffic? No. ATLAS reports a 181% rise over the 24 hours ending July 1 in VNC attacks on TCP ports 5900 and 5901 (about a 2 to 1 ratio between the two), and a 1100% rise in TCP port 5901 scanning over that 24 hour time period.
VNC attacks over the past week. Red bars are attacks on TCP port 5900, blue bars are attacks on TCP port 5901.
However, this still dwarfs in comparison to SMYC06-010 scanning and MS SQL attacks (#1 and #2 on July 1, respectively; VNC attacks are #3 on July 1, and quite often a top 5 attack in ATLAS). VNC scans on TCP port 5901 are not in the top 5 for July 1.
TCP port 5901 scans over the past week. The different colors are different sources. While we see a spike over the weekend, this is inconsequential compared to the other, more dominant scans in this timeframe.
TCP port 5405 scans from the past week. Two different sources committed a few scans, but nothing serious. This pales in comparison to the other services scanned in this timeframe.
So, looking at ATLAS for answers to these questions, I see nothing to worry about right now. This is exactly one of the reasons we built ATLAS the way we did and structured the reports how we did. As an analyst, I need to see stuff in context with other activities and not in isolation, because it’s easy to see a spike and begin to worry. Secondly, we needed to disambiguate scans and attacks from random packets, and we do. Finally, background information about a service, including vulnerabilities and known applications, is also a valuable timesaver. It’s all about streamlining my workflow.