nmap returns 5900/tcp open vnc, have I been hacked??
 

Nmap -sT -O returned "5900/tcp open vnc. Never saw this before. I googled it and found it may mean someone remotely viewing my box. Running SL6 with small KVM based virtual network. "/sbin/service vnc status" returns "unrecognized service", "/etc/init.d/vnc" returns "no such file or directory" "rpm -q vnc" returns "package vnc not installed". Prior to this I yum installed telnet to use xhost to access a gui on my old dell box running fc12. No luck, I gave up for the time being. This only occurs when I have a vm up and running. Did my xhost experiment do this or have I been cracked. Never saw this before on many installs of both host and guest machines. Any help would be greatly appreciated. Thanks in advance folks. cbider

- Unless you enabled service checking (-sV) nmap uses its own static service mapping, kind of like /etc/services, to simply match ports with service names.
- Some virtualization methods come with built-in VNC capabilities.
- A port being bound by a service does not automagically mean it's cracked, nonetheless you should not (need to) run stale, unmaintained, vulnerable Fedora releases and neither should you prefer telnet over SSH.
* Try to connect to the port when the VM is up to determine what service it actually is.

If you're using some redhat derivative you want to use service vncserver status but as mentioned many other programs can provide vnc server services. For example, kvm and virt-manager use vnc to show virtual machine consoles. You can use netstat -aln to identify the process that's listening on 5900.

netstat
 

What is listening on that port?

Once you know the name of the program you can trace back to which package it came from.