Security Incidents mailing list archives
Re: Increase in TCP 6129 (Dameware) scans?
From: Brian Collins <listbc () newnanutilities org>
Date: Thu, 22 Jan 2004 12:37:20 -0500
Lately I've been seeing a dramatic increase in scans on TCP port 6129, which belongs to the Dameware Mini Remote Control. From 1/17 on I've seen from 17 to 50 attempts per day, steadily increasing. Looking on incidents.org, there are some comments that seem to indicate that there could be a trojan that installs Dameware and allows hackers to gain control of such infected PCs. Either that or there is a vulnerability in Dameware or a lot of improperly secured installations of it. Any comments? This seems to be the #1 "trojan" port scan lately, surpassing SubSeven and Kuang2.
Yep, we're seeing it, too. My observations thus far: 1. src port is always 220 2. sequence numbers from a single host remain the same3. occasionally it will zero in on one host and send packets with decreasing ttls; I have no idea yet why it picks on a particular host - the host had not responded to it 4. it increments IPs to scan by the 3rd octet, not the 4th (presumably to sneak past IDS'?)
Some packets, if anyone wants a look, are at: http://misweb.newnanutilities.org/packetdump/--B C
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)