Is my Vino server being attacked?

Question

I installed vino on LUbuntu 18.04, and configured and started my vino server according to https://askubuntu.com/a/530196/1471 without understanding what the commands mean:

$ export DISPLAY=:0
$ gsettings set org.gnome.Vino enabled true # although fails, it doesn't matter
No such key “enabled”
$ gsettings set org.gnome.Vino prompt-enabled false
$ gsettings set org.gnome.Vino require-encryption false    
$ /usr/lib/vino/vino-server

From ifconfig and the output message of starting the server, I found the server's internal ip is 192.168.1.3 and port is 5900. I connected to the server from RealVNC's VNC viewer on my Android phone within the same WIFI network, and the authentication I was only asked to provide was the password to login to my Ubuntu. Our wifi network was set up by a previous tenant, and ISP is Verizon FIOS, and there is no special set up about it. In the monitoring output message of the server (see below), I can only guess that android-c28b29b650f6548c.home is the client on my android phone, but I don't know who the clients 46.101.184.149, zg-0817a-64.stretchoid.com, 196.52.43.118, and scan-06.shadowserver.org belong to, except finding the following:

• https://www.abuseipdb.com/check/46.101.184.149
• https://www.abuseipdb.com/check/107.170.227.141
• https://www.abuseipdb.com/check/196.52.43.118
• https://www.abuseipdb.com/whois/216.218.206.67

Is it correct that my vino server is being accessed from some dangerous clients other than the client on my android phone?

I haven't tried to do any thing explicitly to make my vino server available to the Internet (or I am not aware that I did it), so how could these clients find and connect my server from the Internet?

Shall I be worried about it and do some check on my Ubuntu to see if they have done some damage?

What can I do to securely use my VNC server, if necessary?

Thanks.

$ /usr/lib/vino/vino-server

(vino-server:32529): dbind-WARNING **: 19:44:12.185: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files
19/08/2018 07:44:12 PM Autoprobing TCP port in (all) network interface
19/08/2018 07:44:12 PM Listening IPv6://[::]:5900
19/08/2018 07:44:12 PM Listening IPv4://0.0.0.0:5900
19/08/2018 07:44:12 PM Autoprobing selected port 5900
19/08/2018 07:44:12 PM Advertising security type: 'TLS' (18)
19/08/2018 07:44:12 PM Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
19/08/2018 07:44:12 PM Listening IPv6://[::]:5900
19/08/2018 07:44:12 PM Listening IPv4://0.0.0.0:5900
19/08/2018 07:44:12 PM Clearing securityTypes
19/08/2018 07:44:12 PM Advertising security type: 'TLS' (18)
19/08/2018 07:44:12 PM Clearing securityTypes
19/08/2018 07:44:12 PM Advertising security type: 'TLS' (18)
19/08/2018 07:44:12 PM Advertising authentication type: 'No Authentication' (1)
19/08/2018 07:44:12 PM Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
19/08/2018 07:44:12 PM Listening IPv6://[::]:5900
19/08/2018 07:44:12 PM Listening IPv4://0.0.0.0:5900
19/08/2018 07:44:12 PM Clearing securityTypes
19/08/2018 07:44:12 PM Clearing authTypes
19/08/2018 07:44:12 PM Advertising security type: 'TLS' (18)
19/08/2018 07:44:12 PM Advertising authentication type: 'VNC Authentication' (2)
19/08/2018 07:44:12 PM Clearing securityTypes
19/08/2018 07:44:12 PM Clearing authTypes
19/08/2018 07:44:12 PM Advertising security type: 'TLS' (18)
19/08/2018 07:44:12 PM Advertising authentication type: 'VNC Authentication' (2)
19/08/2018 07:44:12 PM Advertising security type: 'VNC Authentication' (2)
19/08/2018 07:44:17 PM [IPv4] Got connection from client android-c28b29b650f6548c.home
19/08/2018 07:44:17 PM   other clients:
19/08/2018 07:44:17 PM Client Protocol Version 3.7
19/08/2018 07:44:17 PM Advertising security type 18
19/08/2018 07:44:17 PM Advertising security type 2
19/08/2018 07:44:17 PM Client returned security type 2

** (vino-server:32529): WARNING **: 19:44:28.888: VNC authentication failure from 'android-c28b29b650f6548c.home'

19/08/2018 07:44:28 PM rfbAuthPasswordChecked: password check failed
19/08/2018 07:44:28 PM Client android-c28b29b650f6548c.home gone
19/08/2018 07:44:28 PM Statistics:
19/08/2018 07:44:28 PM   framebuffer updates 0, rectangles 0, bytes 0
19/08/2018 07:44:30 PM [IPv4] Got connection from client android-c28b29b650f6548c.home
19/08/2018 07:44:30 PM   other clients:
19/08/2018 07:44:30 PM Client Protocol Version 3.7
19/08/2018 07:44:30 PM Advertising security type 18
19/08/2018 07:44:30 PM Advertising security type 2
19/08/2018 07:44:30 PM Client returned security type 2

** (vino-server:32529): WARNING **: 19:44:40.531: Deferring authentication of 'android-c28b29b650f6548c.home' for 5 seconds

19/08/2018 07:44:45 PM rfbProcessClientNormalMessage: ignoring unknown encoding type 22
19/08/2018 07:44:45 PM rfbProcessClientNormalMessage: ignoring unknown encoding type 21
19/08/2018 07:44:45 PM rfbProcessClientNormalMessage: ignoring unknown encoding type 15
19/08/2018 07:44:45 PM rfbProcessClientNormalMessage: ignoring unknown encoding type -314
19/08/2018 07:44:45 PM Enabling NewFBSize protocol extension for client android-c28b29b650f6548c.home
19/08/2018 07:44:45 PM Pixel format for client android-c28b29b650f6548c.home:
19/08/2018 07:44:45 PM   8 bpp, depth 6
19/08/2018 07:44:45 PM   true colour: max r 3 g 3 b 3, shift r 4 g 2 b 0
19/08/2018 07:44:45 PM Pixel format for client android-c28b29b650f6548c.home:
19/08/2018 07:44:45 PM   32 bpp, depth 24, little endian
19/08/2018 07:44:45 PM   true colour: max r 255 g 255 b 255, shift r 16 g 8 b 0
19/08/2018 07:44:45 PM no translation needed

Gtk-Message: 20:43:41.511: GtkDialog mapped without a transient parent. This is discouraged.
Gtk-Message: 20:43:44.339: GtkDialog mapped without a transient parent. This is discouraged.
Gtk-Message: 20:43:52.072: GtkDialog mapped without a transient parent. This is discouraged.
19/08/2018 10:39:57 PM [IPv4] Got connection from client 46.101.184.149
19/08/2018 10:39:57 PM   other clients:
19/08/2018 10:39:57 PM      android-c28b29b650f6548c.home
19/08/2018 10:39:57 PM Client Protocol Version 3.3

** (vino-server:32529): WARNING **: 22:39:57.238: VNC authentication failure from '46.101.184.149'

19/08/2018 10:39:57 PM rfbAuthPasswordChecked: password check failed
19/08/2018 10:39:57 PM Client 46.101.184.149 gone
19/08/2018 10:39:57 PM Statistics:
19/08/2018 10:39:57 PM   framebuffer updates 0, rectangles 0, bytes 0
19/08/2018 10:43:41 PM [IPv4] Got connection from client 46.101.184.149
19/08/2018 10:43:41 PM   other clients:
19/08/2018 10:43:41 PM      android-c28b29b650f6548c.home
19/08/2018 10:43:41 PM Client Protocol Version 3.3

** (vino-server:32529): WARNING **: 22:43:41.812: Deferring authentication of '46.101.184.149' for 5 seconds


** (vino-server:32529): WARNING **: 22:43:47.449: VNC authentication failure from '46.101.184.149'

19/08/2018 10:43:47 PM rfbAuthPasswordChecked: password check failed
19/08/2018 10:47:27 PM [IPv4] Got connection from client 46.101.184.149
19/08/2018 10:47:27 PM   other clients:
19/08/2018 10:47:27 PM      46.101.184.149
19/08/2018 10:47:27 PM      android-c28b29b650f6548c.home
19/08/2018 10:47:27 PM Client Protocol Version 3.3

** (vino-server:32529): WARNING **: 22:47:27.692: Deferring authentication of '46.101.184.149' for 5 seconds


** (vino-server:32529): WARNING **: 22:47:32.452: VNC authentication failure from '46.101.184.149'

19/08/2018 10:47:32 PM rfbAuthPasswordChecked: password check failed
19/08/2018 10:51:12 PM [IPv4] Got connection from client 46.101.184.149
19/08/2018 10:51:12 PM   other clients:
19/08/2018 10:51:12 PM      46.101.184.149
19/08/2018 10:51:12 PM      46.101.184.149
19/08/2018 10:51:12 PM      android-c28b29b650f6548c.home
19/08/2018 10:51:12 PM Client Protocol Version 3.3

** (vino-server:32529): WARNING **: 22:51:12.833: Deferring authentication of '46.101.184.149' for 5 seconds


** (vino-server:32529): WARNING **: 22:51:18.448: VNC authentication failure from '46.101.184.149'

19/08/2018 10:51:18 PM rfbAuthPasswordChecked: password check failed
19/08/2018 10:54:58 PM [IPv4] Got connection from client 46.101.184.149
19/08/2018 10:54:58 PM   other clients:
19/08/2018 10:54:58 PM      46.101.184.149
19/08/2018 10:54:58 PM      46.101.184.149
19/08/2018 10:54:58 PM      46.101.184.149
19/08/2018 10:54:58 PM      android-c28b29b650f6548c.home
19/08/2018 10:54:58 PM Client Protocol Version 3.3

** (vino-server:32529): WARNING **: 22:54:58.339: Deferring authentication of '46.101.184.149' for 5 seconds


** (vino-server:32529): WARNING **: 22:55:03.449: VNC authentication failure from '46.101.184.149'

19/08/2018 10:55:03 PM rfbAuthPasswordChecked: password check failed
19/08/2018 10:58:43 PM [IPv4] Got connection from client 46.101.184.149
19/08/2018 10:58:43 PM   other clients:
19/08/2018 10:58:43 PM      46.101.184.149
19/08/2018 10:58:43 PM      46.101.184.149
19/08/2018 10:58:43 PM      46.101.184.149
19/08/2018 10:58:43 PM      46.101.184.149
19/08/2018 10:58:43 PM      android-c28b29b650f6548c.home
19/08/2018 10:58:43 PM Client Protocol Version 3.3

** (vino-server:32529): WARNING **: 22:58:43.756: Deferring authentication of '46.101.184.149' for 5 seconds


** (vino-server:32529): WARNING **: 22:58:49.448: VNC authentication failure from '46.101.184.149'

19/08/2018 10:58:49 PM rfbAuthPasswordChecked: password check failed

19/08/2018 11:02:28 PM [IPv4] Got connection from client 46.101.184.149
19/08/2018 11:02:28 PM   other clients:
19/08/2018 11:02:28 PM      46.101.184.149
19/08/2018 11:02:28 PM      46.101.184.149
19/08/2018 11:02:28 PM      46.101.184.149
19/08/2018 11:02:28 PM      46.101.184.149
19/08/2018 11:02:28 PM      46.101.184.149
19/08/2018 11:02:28 PM      android-c28b29b650f6548c.home
19/08/2018 11:02:28 PM Client Protocol Version 3.3

** (vino-server:32529): WARNING **: 23:02:28.345: Deferring authentication of '46.101.184.149' for 5 seconds


** (vino-server:32529): WARNING **: 23:02:33.449: VNC authentication failure from '46.101.184.149'

19/08/2018 11:02:33 PM rfbAuthPasswordChecked: password check failed
19/08/2018 11:30:51 PM [IPv4] Got connection from client zg-0817a-64.stretchoid.com
19/08/2018 11:30:51 PM   other clients:
19/08/2018 11:30:51 PM      46.101.184.149
19/08/2018 11:30:51 PM      46.101.184.149
19/08/2018 11:30:51 PM      46.101.184.149
19/08/2018 11:30:51 PM      46.101.184.149
19/08/2018 11:30:51 PM      46.101.184.149
19/08/2018 11:30:51 PM      46.101.184.149
19/08/2018 11:30:51 PM      android-c28b29b650f6548c.home
19/08/2018 11:31:01 PM rfbProcessClientProtocolVersion: client gone
19/08/2018 11:31:01 PM Client zg-0817a-64.stretchoid.com gone
19/08/2018 11:31:01 PM Statistics:
19/08/2018 11:31:01 PM   framebuffer updates 0, rectangles 0, bytes 0
sendto: Network is unreachable
sendto: Network is unreachable
20/08/2018 10:37:54 AM rfbProcessClientNormalMessage: read: Connection reset by peer
20/08/2018 10:37:54 AM Client android-c28b29b650f6548c.home gone
20/08/2018 10:37:54 AM Statistics:
20/08/2018 10:37:54 AM   key events received 32, pointer events 3932
20/08/2018 10:37:54 AM   framebuffer updates 7016, rectangles 13714, bytes 270216867
20/08/2018 10:37:54 AM     ZRLE rectangles 13714, bytes 270216867
20/08/2018 10:37:54 AM   raw bytes equivalent 538553044, compression ratio 1.993040
20/08/2018 02:15:10 PM [IPv4] Got connection from client 196.52.43.118
20/08/2018 02:15:10 PM   other clients:
20/08/2018 02:15:10 PM      46.101.184.149
20/08/2018 02:15:10 PM      46.101.184.149
20/08/2018 02:15:10 PM      46.101.184.149
20/08/2018 02:15:10 PM      46.101.184.149
20/08/2018 02:15:10 PM      46.101.184.149
20/08/2018 02:15:10 PM      46.101.184.149
20/08/2018 02:15:10 PM Client Protocol Version 3.7
20/08/2018 02:15:10 PM Advertising security type 18
20/08/2018 02:15:10 PM Advertising security type 2
20/08/2018 02:15:10 PM Client returned security type 1
20/08/2018 02:15:10 PM rfbAuthProcessSecurityTypeMessage: client returned unadvertised security type 1
20/08/2018 02:15:10 PM Client 196.52.43.118 gone
20/08/2018 02:15:10 PM Statistics:
20/08/2018 02:15:10 PM   framebuffer updates 0, rectangles 0, bytes 0
20/08/2018 02:31:26 PM [IPv4] Got connection from client scan-06.shadowserver.org
20/08/2018 02:31:26 PM   other clients:
20/08/2018 02:31:26 PM      46.101.184.149
20/08/2018 02:31:26 PM      46.101.184.149
20/08/2018 02:31:26 PM      46.101.184.149
20/08/2018 02:31:26 PM      46.101.184.149
20/08/2018 02:31:26 PM      46.101.184.149
20/08/2018 02:31:26 PM      46.101.184.149
20/08/2018 02:31:28 PM rfbProcessClientProtocolVersion: client gone
20/08/2018 02:31:28 PM Client scan-06.shadowserver.org gone
20/08/2018 02:31:28 PM Statistics:
20/08/2018 02:31:28 PM   framebuffer updates 0, rectangles 0, bytes 0

Answer 1

firstly you should isolate while you work it out, so pull it off the network.

next you need to find how the network it connects to is configured. Some possibilities to expose to internet : 1) you have it in the dmz, 2) you are port forwarding, or 3) your vnc account is compromised.