PDA

View Full Version : Port 5900 open, no vnc programs installed



sysengPS
04-Oct-2013, 01:14
I have ghost ports, in particular 5900 for vnc. However, there is no vnc software seen through zypper/yast.
When I grep 5900 in /etc/services, it does find the following:
grep rfb /etc/services
rfb 5900/tcp vnc-server # Remote Framebuffer [Tristan_Richardson] [RFC6143]
rfb 5900/udp vnc-server # Remote Framebuffer [Tristan_Richardson] [RFC6143]

running nmap from another machine returns:

nmap -sS 192.168.181.30

Starting Nmap 4.75 ( http://nmap.org ) at 2013-10-03 20:13 EDT
Interesting ports on prod-lb01.********.com (192.168.181.30):
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5800/tcp open vnc-http
5900/tcp open vnc
MAC Address: 00:50:56:A5:34:59 (VMWare)

Firewall is off (inside a secure network). I suppose I need to remove rfb, but I cannot find how to remove rfb. Has anyone done this, or have any advice?
Oh, and this is to pass pci compliance...
Thanks

ab
04-Oct-2013, 03:16
On 10/03/2013 06:24 PM, sysengPS wrote:
>
> I have ghost ports, in particular 5900 for vnc. However, there is no vnc
> software seen through zypper/yast.
> When I grep 5900 in /etc/services, it does find the following:
> grep rfb /etc/services
> rfb 5900/tcp vnc-server # Remote Framebuffer
> [Tristan_Richardson] [RFC6143]
> rfb 5900/udp vnc-server # Remote Framebuffer
> [Tristan_Richardson] [RFC6143]

In Yast you should be able to find a setting for 'Remote Administration'
that is part of Gnome or X or something that is probably causing this.
You can find out for sure which executable has this bound using 'ss' or
'netstat':

Code:
--------------------
/usr/sbin/ss -planeto | grep :5900
--------------------

> running nmap from another machine returns:
>
> nmap -sS 192.168.181.30
>
> Starting Nmap 4.75 ( http://nmap.org ) at 2013-10-03 20:13 EDT
> Interesting ports on prod-lb01.********.com (192.168.181.30):
> Not shown: 994 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 80/tcp open http
> 111/tcp open rpcbind
> 443/tcp open https
> 5800/tcp open vnc-http
> 5900/tcp open vnc
> MAC Address: 00:50:56:A5:34:59 (VMWare)
>
> Firewall is off (inside a secure network). I suppose I need to remove

Unless you have a reason to turn it off (I've yet to hear a great one,
except on a honeypot) you should leave it enabled. Allowing services is
trivial and adds a lot of protection just in case. Most successful
attacks are from the inside where trust is given to freely and firewalls
protect against anybody, insider or outsider escalating privileges through
a secure network, from doing unexpected things.

Good luck.

sysengPS
04-Oct-2013, 04:50
vino server had them open. Didn't know what to search for. Thanks for the help.