Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: VNC 'scans' with windows size of 55808 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VNC 'scans' with windows size of 55808
One of our readers wrote in with the following:
"Over the last couple days I've noticed a different type of 5900/TCP (VNC?) portscan/attack.
Port 5900 scans are not new, but this one is triggering a TCP Window size 55808 filter on our IPS.
The filter is patterned after:
Reference: CERT Incident http://www.cert.org/current/archive/2003/06/25/archive.html
Most of the source hosts are EDU's in the US and Taiwan."

So if you don't already have an IDS signature that looks for windows size of 55808 you may wish to add one.
If you do and you notice this I suspect its a bot probably sdbot but would like confirmation.
donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!