Security Incidents mailing list archives
RE: Increase in TCP 6129 (Dameware) scans?
From: "Train25" <sreddick () ns sympatico ca>
Date: Thu, 22 Jan 2004 19:32:02 -0400
We have seen an increase on our local network as well and over the past 2 days. We had to ghost approx 80-85 pcs. We have found DWRCS.EXE, DWRCK.DLL, DWRCS.INI, DWRCSET.DLL, DWRCShell.dll (dameware server files which is not an app we have used) as well as Serv-U.cnt, start.bat (started the serv-u ftp), ServUDaemon.ini, and firedeamon.exe all located in the system32 folder on ALL machines. We can confirm there is an exploit out in the wild for Dameware. (http://www.security-corporation.com/download/exploit/DameWeird.c) We currently set up 3 pcs with honeypots in order to trap and further investigate. But as we have seen they are connecting to port 6129 and a reverse shell is binding to a dictated port to the attackers pc. From there we are seeing the attacker use ftp.exe to connect to a specified ftp and upload files to our network pcs. Then they reconnect and run the start.bat file which is automatically installing the ftp service and disabling the dameware service which was running. Sorry for the rambling but I thought I would update everyone on out initial investigation. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)