Security Incidents mailing list archives
Re: Increase in TCP 6129 (Dameware) scans?
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 22 Jan 2004 11:07:10 -0600 (CST)
Kevin Patz <jambo_cat () yahoo com> wrote:
Lately I've been seeing a dramatic increase in scans on TCP port 6129, which belongs to the Dameware Mini Remote Control. From 1/17 on I've seen from 17 to 50 attempts per day, steadily increasing.
I've been seeing that here as well. My chain of supposition -- and I may be quite wrong here -- begins with the observation that the increase seems to have followed a series of socially-engineered e-mail worms that drop backdoors when the user is gulled into activating them. I don't know the identity of the backdoor, but could it be DameWare? I reported a scan to our ITS folks yesterday, in part to port 6129, and on investigation the source box was found to have a "new" user account with admin privileges, and to have copies of "Serv-U FTP" and -- you guessed it -- DameWare running on it. I think the scans are folks looking for successful hits from the e-mail worms. Just my $0.02. If anyone knows better I'd be happy to learn. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)