Security Incidents mailing list archives
RE: Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?)
From: "Train25" <sreddick () ns sympatico ca>
Date: Fri, 23 Jan 2004 19:02:02 -0400
Yes it was installed hidden and running in the services as "Utility Manager" while the Serv-U ftp was masked as "Telephony" in most cases. But with the 3 honeypots we have set up at the moment have combined hit 800+ times today alone. We have the 3 boxes locked down so no harm will come of our local network. At last count we had 17 different root kits that have been installed between the 3 boxes. The attackers methods basically the same in each case and currently we have our security analyst connected and logging activity of a botnet containing almost 24,000 infected machines. I must give these attackers some credit and wish they were on our side of the fence. Earlier today we updated one box to the newer version of Dameware to test its security against this exploit and have found it will deny attackers remote access. Although the dameware client does crash very often with the amount of hits we have been receiving. -----Original Message----- From: allan.vanleeuwen () orangemail nl [mailto:allan.vanleeuwen () orangemail nl] Sent: Friday, January 23, 2004 12:22 PM To: incidents () securityfocus com Subject: Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?) Hi there .... If dameware is not somethng you normally use ... And it is the hackers point of entry ... Then how did dameware ever get installed ? My guess is the boxes already got hacked in the past through some other exploit (most likely a simple admin password and port 139/445 open) Newbie hackers use dameware mini remote control in order to do their installs. (for the not so knowledgable, remote control is easier then writing an installation script). Either that ... Or someone on your internal network has been using dameware without your knowledge. ... (he would need an admin password in order to install the service on each box.) You could check the DWRCS.INI to see if it was installed 'hidden' from the user... That might tell you if the usage of dameware was a 'legit'purpose ... - --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?) allan . vanleeuwen (Jan 23)
- RE: Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?) Train25 (Jan 26)