This Notice was copied from the reposting to the unisog mailing list at

It has come to our attention that some University IP space has recently been scanned for TCP port 6000, used to serve up X-sessions. We have reason to believe that many WINDOWS computers running various X software (Xwin32, eXceed, and others) are being compromised by having the equivalent of "xhost +" set.

Nature of the Problem:

With X software configured like this, anyone anywhere in the world can do anything they like to the display. This includes taking a snapshot of the screen or grabbing all keystrokes on the keyboard.

X, when run with access permissions disabled (e.g., in "xhost +" mode) will happily provide access to Xevent queues to anyone who requests it. Since X events include keystrokes, window resizing and (re)drawing, mouse movements, etc. (pretty much any user interaction that comes to mind), it's *TRIVIAL* to do things like take screen snapshots, move or resize windows, grab keystrokes, etc. We have positive evidence from other Universities that keystrokes *are* being captured.

eXceed and Xwin-32's default permissions are wide open, and others are fairly easy to configure that way. As the world of Windows is somewhat different from Unix with respect to X, it is highly likely that many users don't realize the danger an open X server poses.

What we've found works well is using PuTTY with X11 Forwarding enabled to connect to the remote system and then firing up X-Win32 in a local-only mode (only accepting X connections from the localhost).

Purdue's page on tunneling X over SSH:

UIC's pages on tunneling X over SSH with Exceed:

Some hints on how to find open Xservers in your address space nmap -sS -p6000 -oG output X.X.X.X/YY The Nessus plugin that can scan for this vulnerability is 10407 (X.nasl)

Other relevant links:

-                                                    -
Karen Swanberg | OIT Security and Assurance | U. of Mn
- | 612-625-8807           -