Re: Increase in TCP 6129 (Dameware) scans?

[Brian Collins <listbc () newnanutilities org>]

> Lately I've been seeing a dramatic increase in scans
> on TCP port 6129, which belongs to the Dameware Mini
> Remote Control. From 1/17 on I've seen from 17 to 50
> attempts per day, steadily increasing.
>
> Looking on incidents.org, there are some comments that
> seem to indicate that there could be a trojan that
> installs Dameware and allows hackers to gain control
> of such infected PCs. Either that or there is a
> vulnerability in Dameware or a lot of improperly
> secured installations of it.
>
> Any comments?  This seems to be the #1 "trojan" port
> scan lately, surpassing SubSeven and Kuang2.

Yep, we're seeing it, too.

My observations thus far:
1. src port is always 220
2. sequence numbers from a single host remain the same
3. occasionally it will zero in on one host and send packets with 
decreasing ttls; I have no idea yet why it picks on a particular host - the 
host had not responded to it
4. it increments IPs to scan by the 3rd octet, not the 4th (presumably to 
sneak past IDS'?)

Some packets, if anyone wants a look, are at:
http://misweb.newnanutilities.org/packetdump/

--B C 


---------------------------------------------------------------------------
----------------------------------------------------------------------------