Security Incidents mailing list archives

RE: Increase in TCP 6129 (Dameware) scans?

From: "Michael Wright" <mcwright () dbls com>
Date: Thu, 22 Jan 2004 12:16:36 -0500

I'm seeing similar scans on multiple firewalls.

Interesting findings:

1.  Port 220 seems to be a popular source port for the scans.
2.  It's a slow scan (presumably due to a single source port and TCP
utilization rather than UDP)

This is certainly a scan and not improperly secured installations due to the
sequential connection attempts from a single source IP. 

I'm currently seeing roughly 1800+ attempts per day, per firewall.  

Below is an example from one of my firewalls:  

04:40:51: 68.81.57.54:220 X.X.X.160:6129
04:40:56: 68.81.57.54:220 X.X.X.161:6129
04:41:00: 68.81.57.54:220 X.X.X.162:6129
04:41:05: 68.81.57.54:220 X.X.X.163:6129
04:41:10: 68.81.57.54:220 X.X.X.164:6129
04:41:14: 68.81.57.54:220 X.X.X.165:6129
04:41:19: 68.81.57.54:220 X.X.X.166:6129
04:41:23: 68.81.57.54:220 X.X.X.167:6129
04:41:27: 68.81.57.54:220 X.X.X.168:6129
04:41:32: 68.81.57.54:220 X.X.X.169:6129
04:41:37: 68.81.57.54:220 X.X.X.170:6129
04:41:41: 68.81.57.54:220 X.X.X.171:6129
04:41:46: 68.81.57.54:220 X.X.X.172:6129
04:41:50: 68.81.57.54:220 X.X.X.173:6129
04:41:55: 68.81.57.54:220 X.X.X.174:6129
04:42:00: 68.81.57.54:220 X.X.X.175:6129

-----Original Message-----
From: Kevin Patz [mailto:jambo_cat () yahoo com] 
Sent: Thursday, January 22, 2004 8:40 AM
To: incidents () securityfocus com
Subject: Increase in TCP 6129 (Dameware) scans?

Lately I've been seeing a dramatic increase in scans
on TCP port 6129, which belongs to the Dameware Mini
Remote Control. From 1/17 on I've seen from 17 to 50
attempts per day, steadily increasing.

Looking on incidents.org, there are some comments that
seem to indicate that there could be a trojan that
installs Dameware and allows hackers to gain control
of such infected PCs. Either that or there is a
vulnerability in Dameware or a lot of improperly
secured installations of it.

Any comments?  This seems to be the #1 "trojan" port
scan lately, surpassing SubSeven and Kuang2.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
  - RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
  - RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)