Security Incidents mailing list archives
RE: Increase in TCP 6129 (Dameware) scans?
From: Kevin Patz <jambo_cat () yahoo com>
Date: Thu, 22 Jan 2004 10:19:02 -0800 (PST)
--- Michael Wright <mcwright () dbls com> wrote:
I'm seeing similar scans on multiple firewalls. Interesting findings: 1. Port 220 seems to be a popular source port for the scans.
I noticed the same thing after posting my original inquiry.
2. It's a slow scan (presumably due to a single source port and TCP utilization rather than UDP)
Makes sense. Another thing I noticed, since my firewall drops unauthorized SYN packets, the source-220 scans only make one attempt, rather than the 2 or 3 tries that most applications requesting TCP connections make (including scans I've seen to 6129 with ephemeral source ports). Also, with the single source port, I bet these scans are just sniffing for machines that are listening on the port, rather than attempting to establish a connection--a TCP war-dialer of sorts. Tonight I'll set up a listener on the port to see how the scanners respond to an open port.
I'm currently seeing roughly 1800+ attempts per day, per firewall.
I have a single IP (cable modem) so I typically only see one (or maybe two) scans per source IP. Today's count is 37 so far. I had 50 yesterday. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)