600x is the X server port. It has known vunerabilities (XFree86, for example
had a simple one-packet DoS attack on its port; this is probably still
present in Xvnc, since it's based on XFree86).
The X security is not very strong, either; what's more, people often turn it
off (the command 'xhost +').
Unless you are sending X traffic through the Internet, I would suggest that
you do not open those ports through your firewall. You certainly don't need
them open if you're using only a VNC viewer remotely.
According to Mike Miller:
> On Thu, 17 May 2001, Scott C. Best wrote:
>
> > Hello! I'm sorry that my suggestions don't sound appealing to
> > you. It sounds like you found a potential weakness in a VNC system,
> > but are dis-inclined to gather more data about the particulars. My
> > experience with open source projects over the years is that the person
> > who calls in the fire is often expected to help aim the hose. :)
>
> I'm sorry that I seemed ungrateful. I was hoping for one of the
> developers to respond. Thanks for getting back to me.
>
> So I did what you wanted and tried nmap to 5801 and to 5901. Neither had
> any effect on the operation of Xvnc. It's only 6001.
>
> Now what I really mean is that VNC running on display :1 is destroyed when
> I nmap port 6001, but VNC for display :7 is destroyed if I nmap port 6007.
> What I mean by 'destroyed' is that if vncviewer was showing that display,
> it immediately stops taking input, and if vncviewer wasn't up, it can no
> longer connect to the server at all (for that display).
>
>
> > Like you, I get keyhole scanned several times a day, people
> > looking for Sub-7 or RPC or whatever. In fact, my own ISP scans me for
> > running an NNTP server at least once a day. :) Yet...I don't think
> > I've ever been nmap'd into a denial of service.
>
> I have. From China about two weeks ago. They sent 30,214 packets.
> (Maybe they checked that many ports, but my iplog doesn't keep track of
> all of it.) As you said, it was not subtle. See appended info. They
> managed to crack into my machine, but in a fairly lame way (as daemon but
> not as root), so I got rid of them easily.
>
>
> > Which gets to your original question: no, until your post, I've
> > never heard that Xvnc can be DoS'd with an nmap scan. I'd be very much
> > interested, as you would be, if that could be confirmed. I don't run
> > Xvnc here, so all the help I can offer has been.
>
> Thanks.
>
> Mike
>
>
> May 5 10:15:59 ICMP: echo from 202.103.98.115 (16 bytes)
> May 5 10:15:59 TCP: tcpmux connection attempt from 202.103.98.115:4104
> May 5 10:15:59 TCP: port 2 connection attempt from 202.103.98.115:4105
> May 5 10:15:59 TCP: port 3 connection attempt from 202.103.98.115:4106
> May 5 10:15:59 TCP: port 4 connection attempt from 202.103.98.115:4107
> May 5 10:15:59 TCP: port 5 connection attempt from 202.103.98.115:4108
> May 5 10:15:59 TCP: port 6 connection attempt from 202.103.98.115:4109
> May 5 10:15:59 TCP: port 8 connection attempt from 202.103.98.115:4111
> May 5 10:15:59 TCP: port 10 connection attempt from 202.103.98.115:4113
> May 5 10:15:59 TCP: systat connection attempt from 202.103.98.115:4114
> May 5 10:15:59 TCP: port 12 connection attempt from 202.103.98.115:4115
> May 5 10:15:59 TCP: port 14 connection attempt from 202.103.98.115:4117
> May 5 10:15:59 TCP: netstat connection attempt from 202.103.98.115:4118
> May 5 10:15:59 TCP: port 16 connection attempt from 202.103.98.115:4119
> May 5 10:15:59 TCP: port 18 connection attempt from 202.103.98.115:4121
> May 5 10:15:59 TCP: port scan detected from 202.103.98.115
> May 5 10:36:29 TCP: port scan mode expired for 202.103.98.115 - received a
total of 30214 packets (845992 bytes).
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to [EMAIL PROTECTED]
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
--
-Grant "Kamisama" McDorman, Senor Software Design Tipster[1], Advanced
AppleCations
[1] Consultant: A tipster disguised as an oracle, especially one who
has learned to decamp at high speed in spite of the
large briefcase and heavy wallet.
- Stan Kelly-Bootle, _The Devil's DP Dictionary_
Fortune Cookie of the Moment:
People will accept your ideas much more readily if you tell them that
Benjamin Franklin said it first.
[demime 0.97b removed an attachment of type application/pgp-signature]
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
