I have ghost ports, in particular 5900 for vnc. However, there is no vnc software seen through zypper/yast.
When I grep 5900 in /etc/services, it does find the following:
grep rfb /etc/services
rfb 5900/tcp vnc-server # Remote Framebuffer [Tristan_Richardson] [RFC6143]
rfb 5900/udp vnc-server # Remote Framebuffer [Tristan_Richardson] [RFC6143]

running nmap from another machine returns:

nmap -sS

Starting Nmap 4.75 ( http://nmap.org ) at 2013-10-03 20:13 EDT
Interesting ports on prod-lb01.********.com (
Not shown: 994 closed ports
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5800/tcp open vnc-http
5900/tcp open vnc
MAC Address: 00:50:56:A5:34:59 (VMWare)

Firewall is off (inside a secure network). I suppose I need to remove rfb, but I cannot find how to remove rfb. Has anyone done this, or have any advice?
Oh, and this is to pass pci compliance...