Full Disclosure mailing list archives
Re: Anyone else exoeriencing blasts o' port 6129 TCP?
From: Klaus Lichtenwalder <k.lichtenwalder () computer org>
Date: Sat, 03 Jan 2004 22:41:40 +0100
These are my results, since last sunday, 3:00 CUT: the ip's originating the probe: 2 12.18.102.139 2 129.24.31.243 2 193.175.236.28 2 194.42.22.134 3 195.110.84.82 2 195.199.185.1 2 199.0.194.131 2 204.87.98.143 1 206.135.39.149 2 211.106.27.225 2 212.100.101.200 2 212.234.28.5 4 213.32.96.239 2 217.218.247.3 11 217.232.181.21 2 24.132.39.38 1 24.136.103.158 2 61.133.213.167 2 65.210.193.5 1 66.139.132.122 Am Sa, 2004-01-03 um 20.35 schrieb Gregory A. Gilliss:
Yep, got some Happy New Years traffic, although I wouldn't call it "blasts": Jan 1 03:44:04 TCP: port 6129 connection attempt from 66.141.180.72:1616 Jan 1 05:35:16 TCP: port 6129 connection attempt from 212.125.229.164:54031 Jan 1 08:47:24 TCP: port 6129 connection attempt from 130.232.56.173:3560 Jan 1 09:28:19 TCP: port 6129 connection attempt from 203.202.187.211:2580 Jan 1 16:53:54 TCP: port 6129 connection attempt from 80.136.224.152:3414 Jan 2 00:48:25 TCP: port 6129 connection attempt from 80.100.90.53:41020 Jan 2 20:32:14 TCP: port 6129 connection attempt from 213.254.170.80:4778 Jan 3 03:28:28 TCP: port 6129 connection attempt from 80.81.125.227:32833 Jan 3 08:28:23 TCP: port 6129 connection attempt from 24.85.32.185:3007 All blocked of course; looks like a 'bot. Bet the sources are spoofed, but if anyone wants to track 'em, go ahead ;-) G On or about 2004.01.03 09:37:38 +0000, Jim Race (caferace () well com) said:I noticed some action the previous 48 hours, and on checking logs this morning it seems that port 6129 (DameWare Remote Admin) was the common factor. ISC seems to have it on the top of their trends list: http://isc.sans.org/top10.html hmmmm.
-- ------------------------------------------------------------------------ Klaus Lichtenwalder, Dipl. Inform., http://www.webforum.de/Klaus/ Fax +49-(0)89-9103579 Lichtenwalder () ACM org NIC: KL2100, KL76-RIPE K.Lichtenwalder () Computer org PGP Key fingerprint =4194 C7B8 C74E C607 E440 F075 BCA0 6B94 1B33 3FB7
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
Current thread:
- Anyone else exoeriencing blasts o' port 6129 TCP? Jim Race (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Gregory A. Gilliss (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Klaus Lichtenwalder (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Rob Schrack (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Jim Race (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? KF (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Rob Schrack (Jan 04)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Jim Race (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Gregory A. Gilliss (Jan 03)
- Re: Anyone else exoeriencing blasts o' port 6129 TCP? Jeff Kell (Jan 03)