is someone/-thing trying to hack my machine?

[arri]

for debugging purposes i had tcpflow running when i noticed some strange activity.
every now and then the following sequence of packets would apear:

010.000.001.002.05900-084.041.069.121.03713: RFB 003.008

010.000.001.002.05900-084.041.069.121.03722: RFB 003.008

084.041.069.121.03722-010.000.001.002.05900: RFB 003.008

010.000.001.002.05900-084.041.069.121.03722: ..
084.041.069.121.03722-010.000.001.002.05900: .
010.000.001.002.05900-084.041.069.121.03722: ........Invalid Security Type
084.041.069.121.03722-010.000.001.002.05900: .
084.041.069.121.03722-010.000.001.002.05900: ........

where 10.0.1.2 is my local machine, and 84.41.69.121 is some dsl connection of a user in slovenia.
the ports used is always 5900 locally, and some random, changing number remote.

i first noticed this last night, but i didn't really pay much attention to it, but when i saw it again today, i started to wonder..

i'm not really afraid someone's trying to hack me, but what i find strange, is that it seems as if it is actually the VNC-server that i run locally, that tries to start a connection. the packetsequence always starts like above, then there's a long interval, and a similair sequence ..etc..

when at one point i started to fiddle around, and see if i for instance could telnet/ftp to a remote port,
i got this repons, which appearantly is some worm (gift.com):

084.041.069.121.05368-010.000.001.002.51794: 220 Reptile welcomes you..

does anyone know about this? and is it actually MY VNCserver that's connecting?
i use OSXvnc.

 

[barhar]

'is someone/-thing trying to hack my machine?' - no.

'... is it actually MY VNCserver that's connecting?' - to verify, look into the 'Preferences' settings of your VNC server and / or Peer to Peer (if you use such) software.

 

[arri]

can you elaborate?

the VNCserver is just configured to listen for connections on poort 5900. nothing else.
and it requires a password from client to connect.

so if no-one/nothing is trying to get 'unauthorized access', what's going on then?

is my grandmother trying to phone me?

 

[arri]

btw; could it be that i'm only looking at tcp-packets, while the initial client-request uses another protocol?

here's a sample from the server-log

22:02:06.562 OSXvnc-server[1901] Client gone
22:02:06.591 OSXvnc-server[1901] Waiting for clients
22:02:06.832 OSXvnc-server[1901] Protocol version 3.8
22:02:07.078 OSXvnc-server[1901] rfbProcessAuthVersion: Invalid Authorization Type from 84.41.70.116
22:02:07.078 OSXvnc-server[1901] Invalid Security Type
22:02:07.079 OSXvnc-server[1901] Client 84.41.70.116 disconnected
22:02:07.079 OSXvnc-server[1901] Statistics:
22:02:07.080 OSXvnc-server[1901]   framebuffer updates 0, rectangles 0, bytes 0
22:02:07.080 OSXvnc-server[1901] Client gone
22:02:07.105 OSXvnc-server[1901] Waiting for clients
22:02:26.788 OSXvnc-server[1901] rfbProcessClientProtocolVersion: client gone
22:02:26.789 OSXvnc-server[1901] Client 84.41.69.121 disconnected
22:02:26.789 OSXvnc-server[1901] Statistics:
22:02:26.789 OSXvnc-server[1901]   framebuffer updates 0, rectangles 0, bytes 0
22:02:26.789 OSXvnc-server[1901] Client gone
22:02:26.819 OSXvnc-server[1901] Waiting for clients
22:02:26.934 OSXvnc-server[1901] Protocol version 3.8
22:02:27.028 OSXvnc-server[1901] rfbProcessAuthVersion: Invalid Authorization Type from 84.41.69.121
22:02:27.028 OSXvnc-server[1901] Invalid Security Type
22:02:27.029 OSXvnc-server[1901] Client 84.41.69.121 disconnected
22:02:27.029 OSXvnc-server[1901] Statistics:
22:02:27.030 OSXvnc-server[1901]   framebuffer updates 0, rectangles 0, bytes 0
22:02:27.030 OSXvnc-server[1901] Client gone
22:02:27.035 OSXvnc-server[1901] Waiting for clients

all the connection attempts are made by hosts in the 84.41.xxx.xxx range, which also happens to be the range of my current IP..

[edit]
more googling gave some interesting results;
a bug in realvnc 4.1.1.
http://www.petri.co.il/forums/archive/index.php?t-10051.html

and clues that a worm could be trying to use that bug..
(google for ["Reptile welcomes you" VNC])