Internet-Security.com TCP port 5901 details

TCP port 5901 is commonly used by VNC servers implementing the RFB protocol for display :1 (the second VNC desktop).
TigerVNC’s vncserver (e.g., vncserver :1) listens on 5901 on Linux/Unix systems.
TightVNC Server and UltraVNC on Windows can be configured to run additional displays on 5901.
RealVNC Server also supports multiple virtual desktops and commonly maps display :1 to port 5901.
QEMU/KVM’s built-in VNC server uses 5900+display, so -vnc :1 makes the VM’s console available on 5901.
VMware ESXi can expose a VM via VNC when enabled, using 5900+display numbering, so a VM set to display 1 appears on 5901.
Many VNC-enabled container images (e.g., dorowu/ubuntu-desktop-lxde-vnc, accetto/ubuntu-vnc-xfce) expose 5901 for remote desktop access, and noVNC gateways often proxy to a backend VNC server on 5901.
Security note: exposed VNC on 5901 is frequently targeted for brute-force and unauthenticated access attacks, and has been used in intrusions and ransomware deployment when left open without encryption or strong credentials.

TCP 5901