Security Incidents mailing list archives

RE: Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?)

From: "Train25" <sreddick () ns sympatico ca>
Date: Fri, 23 Jan 2004 19:02:02 -0400

Yes it was installed hidden and running in the services as "Utility Manager"
while the Serv-U ftp was masked as "Telephony" in most cases. But with the 3
honeypots we have set up at the moment have combined hit 800+ times today
alone. We have the 3 boxes locked down so no harm will come of our local
network. At last count we had 17 different root kits that have been
installed between the 3 boxes. The attackers methods basically the same in
each case and currently we have our security analyst connected and logging
activity of a botnet containing almost 24,000 infected machines. I must give
these attackers some credit and wish they were on our side of the fence. 

Earlier today we updated one box to the newer version of Dameware to test
its security against this exploit and have found it will deny attackers
remote access. Although the dameware client does crash very often with the
amount of hits we have been receiving.



-----Original Message-----
From: allan.vanleeuwen () orangemail nl [mailto:allan.vanleeuwen () orangemail nl]

Sent: Friday, January 23, 2004 12:22 PM
To: incidents () securityfocus com
Subject: Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?)

Hi there ....

If dameware is not somethng you normally use ... And it is the hackers point
of entry ...
Then how did dameware ever get installed ?
My guess is the boxes already got hacked in the past through some other
exploit (most likely a simple admin password and port 139/445 open)
Newbie hackers use dameware mini remote control in order to do their
installs. (for the not so knowledgable, remote control is easier then
writing an installation script). Either that ... Or someone on your internal
network has been using dameware without your knowledge. ... (he would need
an admin password in order to install the service on each box.)
You could check the DWRCS.INI to see if it was installed 'hidden' from the
user... That might tell you if the usage of dameware was a 'legit'purpose
...

-


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?) allan . vanleeuwen (Jan 23)
- RE: Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?) Train25 (Jan 26)