Full Disclosure mailing list archives

Re: Anyone else exoeriencing blasts o' port 6129 TCP?

From: Klaus Lichtenwalder <k.lichtenwalder () computer org>
Date: Sat, 03 Jan 2004 22:41:40 +0100

These are my results, since last sunday, 3:00 CUT:
the ip's originating the probe:

      2 12.18.102.139
      2 129.24.31.243
      2 193.175.236.28
      2 194.42.22.134
      3 195.110.84.82
      2 195.199.185.1
      2 199.0.194.131
      2 204.87.98.143
      1 206.135.39.149
      2 211.106.27.225
      2 212.100.101.200
      2 212.234.28.5
      4 213.32.96.239
      2 217.218.247.3
     11 217.232.181.21
      2 24.132.39.38
      1 24.136.103.158
      2 61.133.213.167
      2 65.210.193.5
      1 66.139.132.122


Am Sa, 2004-01-03 um 20.35 schrieb Gregory A. Gilliss:

Yep, got some Happy New Years traffic, although I wouldn't call it "blasts":

Jan  1 03:44:04 TCP: port 6129 connection attempt from 66.141.180.72:1616
Jan  1 05:35:16 TCP: port 6129 connection attempt from 212.125.229.164:54031
Jan  1 08:47:24 TCP: port 6129 connection attempt from 130.232.56.173:3560
Jan  1 09:28:19 TCP: port 6129 connection attempt from 203.202.187.211:2580
Jan  1 16:53:54 TCP: port 6129 connection attempt from 80.136.224.152:3414
Jan  2 00:48:25 TCP: port 6129 connection attempt from 80.100.90.53:41020
Jan  2 20:32:14 TCP: port 6129 connection attempt from 213.254.170.80:4778
Jan  3 03:28:28 TCP: port 6129 connection attempt from 80.81.125.227:32833
Jan  3 08:28:23 TCP: port 6129 connection attempt from 24.85.32.185:3007

All blocked of course; looks like a 'bot. Bet the sources are spoofed, but
if anyone wants to track 'em, go ahead ;-)

G

On or about 2004.01.03 09:37:38 +0000, Jim Race (caferace () well com) said:

I noticed some action the previous 48 hours, and on checking logs this 
morning it seems that port 6129 (DameWare Remote Admin) was the common 
factor. ISC seems to have it on the top of their trends list:

http://isc.sans.org/top10.html

hmmmm.

-- 
------------------------------------------------------------------------ 
 Klaus Lichtenwalder, Dipl. Inform.,       http://www.webforum.de/Klaus/
 Fax +49-(0)89-9103579                             Lichtenwalder () ACM org
 NIC: KL2100, KL76-RIPE                     K.Lichtenwalder () Computer org
 PGP Key fingerprint =4194 C7B8 C74E C607 E440  F075 BCA0 6B94 1B33 3FB7

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Current thread:

Anyone else exoeriencing blasts o' port 6129 TCP? Jim Race (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Gregory A. Gilliss (Jan 03)
  - Re: Anyone else exoeriencing blasts o' port 6129 TCP? Klaus Lichtenwalder (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Rob Schrack (Jan 03)
  - Re: Anyone else exoeriencing blasts o' port 6129 TCP? Jim Race (Jan 03)
    - Re: Anyone else exoeriencing blasts o' port 6129 TCP? KF (Jan 03)
    - Re: Anyone else exoeriencing blasts o' port 6129 TCP? Rob Schrack (Jan 04)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Jeff Kell (Jan 03)