On Thu, 17 May 2001, Scott C. Best wrote:
> Hello! I'm sorry that my suggestions don't sound appealing to
> you. It sounds like you found a potential weakness in a VNC system,
> but are dis-inclined to gather more data about the particulars. My
> experience with open source projects over the years is that the person
> who calls in the fire is often expected to help aim the hose. :)
I'm sorry that I seemed ungrateful. I was hoping for one of the
developers to respond. Thanks for getting back to me.
So I did what you wanted and tried nmap to 5801 and to 5901. Neither had
any effect on the operation of Xvnc. It's only 6001.
Now what I really mean is that VNC running on display :1 is destroyed when
I nmap port 6001, but VNC for display :7 is destroyed if I nmap port 6007.
What I mean by 'destroyed' is that if vncviewer was showing that display,
it immediately stops taking input, and if vncviewer wasn't up, it can no
longer connect to the server at all (for that display).
> Like you, I get keyhole scanned several times a day, people
> looking for Sub-7 or RPC or whatever. In fact, my own ISP scans me for
> running an NNTP server at least once a day. :) Yet...I don't think
> I've ever been nmap'd into a denial of service.
I have. From China about two weeks ago. They sent 30,214 packets.
(Maybe they checked that many ports, but my iplog doesn't keep track of
all of it.) As you said, it was not subtle. See appended info. They
managed to crack into my machine, but in a fairly lame way (as daemon but
not as root), so I got rid of them easily.
> Which gets to your original question: no, until your post, I've
> never heard that Xvnc can be DoS'd with an nmap scan. I'd be very much
> interested, as you would be, if that could be confirmed. I don't run
> Xvnc here, so all the help I can offer has been.
Thanks.
Mike
May 5 10:15:59 ICMP: echo from 202.103.98.115 (16 bytes)
May 5 10:15:59 TCP: tcpmux connection attempt from 202.103.98.115:4104
May 5 10:15:59 TCP: port 2 connection attempt from 202.103.98.115:4105
May 5 10:15:59 TCP: port 3 connection attempt from 202.103.98.115:4106
May 5 10:15:59 TCP: port 4 connection attempt from 202.103.98.115:4107
May 5 10:15:59 TCP: port 5 connection attempt from 202.103.98.115:4108
May 5 10:15:59 TCP: port 6 connection attempt from 202.103.98.115:4109
May 5 10:15:59 TCP: port 8 connection attempt from 202.103.98.115:4111
May 5 10:15:59 TCP: port 10 connection attempt from 202.103.98.115:4113
May 5 10:15:59 TCP: systat connection attempt from 202.103.98.115:4114
May 5 10:15:59 TCP: port 12 connection attempt from 202.103.98.115:4115
May 5 10:15:59 TCP: port 14 connection attempt from 202.103.98.115:4117
May 5 10:15:59 TCP: netstat connection attempt from 202.103.98.115:4118
May 5 10:15:59 TCP: port 16 connection attempt from 202.103.98.115:4119
May 5 10:15:59 TCP: port 18 connection attempt from 202.103.98.115:4121
May 5 10:15:59 TCP: port scan detected from 202.103.98.115
May 5 10:36:29 TCP: port scan mode expired for 202.103.98.115 - received a total of
30214 packets (845992 bytes).
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
