Re: Increase in TCP 6129 (Dameware) scans?

[Neil Dickey <neil () geol niu edu>]

Kevin Patz <jambo_cat () yahoo com> wrote:

> Lately I've been seeing a dramatic increase in scans
> on TCP port 6129, which belongs to the Dameware Mini
> Remote Control. From 1/17 on I've seen from 17 to 50
> attempts per day, steadily increasing.

I've been seeing that here as well.  My chain of
supposition -- and I may be quite wrong here -- begins
with the observation that the increase seems to have
followed a series of socially-engineered e-mail worms
that drop backdoors when the user is gulled into
activating them.  I don't know the identity of the
backdoor, but could it be DameWare?

I reported a scan to our ITS folks yesterday, in part
to port 6129, and on investigation the source box was
found to have a "new" user account with admin
privileges, and to have copies of "Serv-U FTP" and --
you guessed it -- DameWare running on it.

I think the scans are folks looking for successful hits
from the e-mail worms.

Just my $0.02.  If anyone knows better I'd be happy to
learn.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



---------------------------------------------------------------------------
----------------------------------------------------------------------------