Undocumented port in use by VNCviewer in Listen Mode?

Zalman Margareten zmargareten "at" CJH.org
Wed, 05 Sep 2001 16:15:41 +0000


Very clearly explained, John.

I would suggest running a "network monitor" through an entire VNC session
and watching when/if it communicates with port 5400. Such a monitor was
mentioned in this VNC-list sometime last week and I posted a message
inquiring what monitor was used. I so far haven't received an answer.

You mentioned different experiments. Did you try disabling port 5400 coming
in to the viewer?

Good Luck



-Original Message-----
From: John Roland Elliott [mailto:John_Roland_Elliott "at" Hotmail.com]
Sent: Friday, August 31, 2001 6:14 PM
To: vnc-list "at" uk.research.att.com
Subject: Re: Undocumented port in use by VNCviewer in Listen Mode?


Roy, Pete, Zoran, Zalman, and all ---

Thanks for considering my poorly posed question and thanks for your
theories. Let me try my question again, a little more precisely and
completely stated this time.

The FAQ (http://www.uk.research.att.com/vnc/faq.html#q52) states, and I have
observed, that the VNC server listens on port 5900+n (where n is the
"display number") and that when the VNC viewer initiates a session with the
server, it does so through that port.

The FAQ (http://www.uk.research.att.com/vnc/faq.html#q52) states, and I have
observed, that the VNC server listens on port 5800+n (where n is the
"display number") and, on that port, answers as a minimalist web server
which delivers the java implementation of the VNC viewer. Once the (java)
VNC viewer is delivered to the machine that is to act as viewer, the java
VNC viewer communicates with the VNC server through port 5900+n, just like
the non-java VNC viewer.

Ports 5900+n and 5800+n are open on machines running a VNC server (WinVNC,
e.g.) and the (java or non-java) VNC viewer connects only to 5900+n. 5800+n
is used only to fetch the java viewer (vncviewer.class in vncviewer.jar)
from the machine running the VNC server. It is my understanding that the
viewer, once it is loaded, regardless of how it is loaded, communicates with
the server through the server's port 5900+n. I don't think that 5800+n is
used as a control channel, or anything other than fetching the java client.
I conclude this by configuring a firewall that defends the machine running
the VNC server. When I configure it to drop inbound traffic on port 5800 I
can successfully establish a VNC session from the other side of the firewall
using the non-java VNC viewer. Further, I conducted the following
experiment:

1) on the firewall between my viewer and server, I enabled 5800 (for loading
the java VNC viewer) and disabled 5900 going from viewer to server
2) from my favorite java-capable web browser, I went to
http://myVNCserver:5800 and got the VNC authentication page asking for a VNC
password
3) at that point, I reconfigured my firewall to disable 5800 (the viewer is
already loaded in the virtual machine of the machine that is to be viewer)
and enable 5900 (so that the viewer could do something constructive) going
from viewer to server
4) back at my web browser, which was still displaying the VNC authentication
page, I entered the VNC password and established a session (without access
to 5800 on the server but with 5900 on the server accessible)

This experiment convinced me that a) 5800 is necessary and sufficient to
load the java VNC viewer (i.e., 5900 is not needed for *loading* and
*starting* the java VNC viewer) and b) 5900 is necessary and sufficient for
the (java) VNC viewer (i.e., 5800 is not needed for *running* the VNC
viewer, even the java one).

I stress that 5800+n and 5900+n are VNC server ports. Those ports are not
open on the VNC viewer machine (unless it is also running VNC server.)

The FAQ (http://www.uk.research.att.com/vnc/faq.html#q52) states, and I have
observed, that the VNC viewer (not server) listens on port 5500. When, from
a VNC server, you "Add New Client", the server initiates a session with the
viewer through the viewer's port 5500. In this mode of operation, the viewer
does not use the server's 5900+n, which would have been used if the viewer
had initiated the connection; I suspect, but I haven't confirmed, that the
server continues to talk to the viewer's port 5500 and the viewer talks to
the port that the server opened in order to call the viewer.

So, I think I understand 5500, 5800+n, and 5900+n, but I'm still mystified
by 5400. What I know is:

1) it is created on the viewer machine when I "Run VNCviewer (Listen Mode)"
2) it is destroyed on the viewer machine when I "Close listening daemon"
3) it is unused (or at least not required) during the conventional operation
(viewer initiates the connection)
4) it is unused (or at least not required) by the java VNC viewer

What I would like to know is does it serve any function whatsoever. In
exchange for this knowledge I am prepared to offer my eternal gratitude and
undying devotion. I really don't want to have to try to read the source
(what is it? ... Object Oriented COBOL? ... "ADD-1-TO-COBOL-GIVING-COBOL"?)

Regards,
JRE

P.S. One last clue: If, on the machine that has "Run VNCviewer (Listen
Mode)", I go to http://localhost:5400, briefly, in maybe 36-point text, I
see

    "plication/vnd.ms-excel, applica"

at the top of the screen.

----- Original Message -----
From: "Zalman Margareten" <zmargareten "at" CJH.org>
To: <vnc-list "at" uk.research.att.com>
Sent: Friday, August 31, 2001 12:39 PM
Subject: RE: Undocumented port in use by VNCviewer in Listen Mode?


> Are u trying to imply that it will establish the connection with port 5400
> and then hand it over to 5500? I can understand this with the "regular"
> connection that is initiated from the viewer where it will send a sync to
> 5800 and then establish a connection with 5900. But how do u explain it
with
> the "listener" method where it starts with 5500 according to my (
netstat -n
> readings )?
>
> -----Original Message-----
> From: Roy Long [mailto:roy "at" ncitech.com]
> Sent: Friday, August 31, 2001 9:46 AM
> To: vnc-list "at" uk.research.att.com
> Subject: Re: Undocumented port in use by VNCviewer in Listen Mode?
>
>
> >The documentation indicates that VNCviewer in Listen Mode uses port 5500.
> It
> >appears that when I start VNCviewer in Listen Mode, my machine also
listens
> >on port 5400, at least my Windows 2000 machine does. After stopping
Listen
> >Mode, both 5500 and 5400 are closed. I have set my firewall to block 5400
> >and allow 5500 and it seems to continue to work.
> >
> >As port 5400 is associated with the Blade Runner Trojan, I was a little
> >alarmed to discover it open on one of my machines.
> >
> >Can anyone provide any illumination on the subject of VNC's use of port
> >5400?
>
> I believe 5400 is the java web browser port for the viewer, just like
> 5800 works for the  java web browser port on the "normal" VNC server.
> --
> Roy Long - KB3CZD
> Computer Technician
> NCI Technologies
> 126 N. 2nd Street
> Philipsburg PA 16866
>
> roy "at" ncitech.com
>
>
>
>
> -----BEGIN GEEK CODE BLOCK-----
>    Version: 3.12
>    GO@ d-@ s: a- C++ C--- U+++ P+ L++>$ E--- W+ N+ w
>    M++$ PS PE+ PGP+ t+ 5 X R- tv b+ DI++ D G h--- r+++ y--(+++)
> ------END GEEK CODE BLOCK------
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------