Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How is this program trying to get into my VNC port? And other questions...

  • Please log in to reply
2 replies to this topic

#1 quietmedic


  • Members
  • 1 posts
  • Local time:11:11 PM

Posted 18 January 2017 - 09:05 PM

Ok, so im really a beginner at internet security.  I've worked in IT and have tons of experinece with hardware and such, but internet security is so confusing.  Anyway.

I've been trying to lock down my PC better, working in the Windows Firewall and also running scans with Wireshark to see what is going on in general.


I've noticed the same several IP addresses trying to get into my VNC port.  (I know, I know, VNC is really not great to open to the world, but I need access and have no clue how to make an IPSEC tunnel or SSH tunnel or even what those mean, but more on that later).

Anyway, as soon as I switch my VNC port, within a day, it's happening again.  ( Yes, my realVNC is password protected, and of course, virus scans, malware scans all negative etc etc, my computer is seemingly clean).


Here's an example packet:


 source                 destination   protocol  length TCP        74



[TCP Retransmission] 58787→5903 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=359065360 TSecr=0 WS=128 496


 5903 is my VNC port of course.


This is coming from an IP address registered to Purdue University in Indiana (what the heck?).


A few questions:


(1) Why does this keep happening? Who the heck is at Purdue trying to scan my ports?

(2) If my VNC is password protected, does the fact that they found this port mean they can get into it working around the VNC, i.e. use the port as a doorway but bypass the VNC authentication and mess around? How can I even tell if they got in (my VNC was never successfully activated)

(3) And if so, is there a way in Windows firewall to restrict a particular port's use to only realVNC?  I have not seen an option like that....you can restrict a program to a port, but not a port to a program...i.e., lock down that port so that all traffic entering that port MUST use VNC...


As well, no matter how many times I have read about VPNs, SSH tunnels, IPsec, I am still utterly confused, and have no idea what I can implement to better secure my VNC, as a casual user.  I only ever log in from outside my LAN by using my vnc app on cellphone, over my carrier's data (not on some open wifi).  Can anyone refer me to a plainish-English tutprial to understand these terms?  


Oh, and P.S., is there some legal issue with SSH? I was reading strange things about it being illegal to use, and also, from what I was reading, VPNs are generally also used for nefarious activities much moreso than anything legal...is this accurate? Sorry for the n00biness)

Edited by quietmedic, 18 January 2017 - 09:06 PM.

BC AdBot (Login to Remove)


#2 JohnnyJammer


  • Members
  • 1,117 posts
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:11 PM

Posted 22 January 2017 - 07:34 PM

Mate to be honest, running any service exposed to the net you will always see bots crawling the net looking for exploits, weak and or standard username/passwords for routers, etc.

Try running a web server mate then you see all sorts of exploit URL requests.

The main countried i would rate as running spider bots would be , Russia, china, india, and a lot of traffic from germany also.

You will see a lot of Universities with kids learning how to write scripts etc but even when you have all the info, the network admins just say "Too bad we cant be bothered" and no discipline is served to the s|<ids doing it!

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • Gender:Male
  • Local time:06:11 AM

Posted 28 January 2017 - 07:31 AM

1) That's normal, there is a huge amount of scanning on the Internet, both benign (even with good intentions) and malicious.

2) Your VNC must be kept up-to-date so that it does not have known vulnerabilities

3) Because it's not necessary. Ports are restricted to an application. Port 5903 is opened by your VNC server program, and no other program can open that same port on the same IP address for listening while VNC is listening on that port.

Didier Stevens

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019


If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.


Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users