Last Updated: 2009-10-03 12:28:45 UTC
by Daniel Wesemann (Version: 2)
tcp/5900 is used by VNC, a platform independent desktop sharing and remote control application. VNC is hugely popular and also used for helpdesk/remote support in many large organizations.
Well, it is a *remote control* tool. There's probably a bad guy or two out there who likes to remote control your PC while you are in the middle of an e-banking session. And there's even more bad guys out there who are too incompetent to work with a command line, and prefer to have their hacked victims accessible over the GUI. Yes, VNC is being used by Trojans, Backdoors and Hackers alike. If you ever find VNC on your PC and it wasn't you who put it there: Worry. Worry more. Then, re-install your PC from scratch.
As the DShield graph for port 5900 shows, there is a lot of scanning going on for tcp/5900, which is the VNC standard port.
The scanning seems to have two main purposes:
(1) To find VNC servers that can be breached by a brute force password guessing attack
(2) To find VNC servers that are still vulnerable to one of the more serious holes (like CVE-2006-2369)
As a reader commented in one of our more recent diaries on the subject, the best defense is not to open VNC up to the world in general. Tunneling through SSH or IPSEC improves VNC security quite a bit. If you need to keep it exposed to the outside, use the latest version and pick a loooong password. It also doesn't hurt to move it to a port other than 5900. While this is mere security-by-obscurity, and won't help against a targeted attack, it DOES keep all the scanners away who are just trolling for a target of opportunity.
Note that VNC is also using 5901..5903, depending on how many screens there are, and also uses tcp/5800 to allow a clientless (Java in browser) connection to a VNC server. Last but not least, tcp/5500 is used to "shovel" a connection from a server to a viewer running in "listening mode". The latter mechanism is hugely popular among the bad guys, because there are still way too many firms who have a firewall with a "permit anything from the inside going out" rule. Once a bad guy manages to subvert (virus, hacking) a server on the inside, he still can't get to it with an inbound connection on tcp/5900, but he often can "shovel" a tcp/5500 inside-out back to his listening VNC viewer. Metasploit also has a couple of lovely payloads to chose from that facilitate this sort of thing.
All the ports mentioned above are the standard ports used by VNC out of the box. A VNC server is just as happy on Port 80 as it is on 5900 though, so while scans for tcp/5900 are usually indeed looking for VNC, you should have your IDS on the look-out for VNC traffic on ANY port. Emergingthreats has a couple of nice Snort rules for VNC traffic.
Several readers pointed out that there are many implementations of VNC, the "original" RealVNC is only one of them. All these implementations vary widely in security features and also vulnerability history, so make sure you watch the security advisories for those exact versions that you have in use.
Reader Tim reminded us that password based authentication in the RFB protocol (which is underneath VNC) only uses the first 8 characters of any password entered, so chosing a long password doesn't necessarily help against brute-force attempts (depending on the version of VNC viewer and server that you use).
Reader Leandro reported that "stunnel" with certificate based authentication is working well for him to secure VNC connections.