Security Incidents mailing list archives

RE: Increase in TCP 6129 (Dameware) scans?

From: Neil Dickey <neil () geol niu edu>
Date: Fri, 23 Jan 2004 09:18:08 -0600 (CST)


"Michael Wright" <mcwright () dbls com> wrote in part:

I believe the scanner is actually attempting a connection rather than simply
gathering intelligence on infected hosts.  The reason I believe this:

1.  Source port appears to remain static


In my case this isn't what's happening.  Here is an excerpt from my
Snort portscan log:

Jan 22 04:41:38 163.27.5.154:3641 -> aaa.bbb.ccc.2:6129 SYN ******S* 
Jan 22 04:41:37 163.27.5.154:3643 -> aaa.bbb.ccc.3:6129 SYN ******S* 
Jan 22 04:41:38 163.27.5.154:3653 -> aaa.bbb.ccc.6:6129 SYN ******S* 
Jan 22 04:41:36 163.27.5.154:3666 -> aaa.bbb.ccc.9:6129 SYN ******S* 
Jan 22 04:41:36 163.27.5.154:3672 -> aaa.bbb.ccc.11:6129 SYN ******S* 
Jan 22 04:41:37 163.27.5.154:3771 -> aaa.bbb.ccc.40:6129 SYN ******S* 
Jan 22 04:41:37 163.27.5.154:3781 -> aaa.bbb.ccc.43:6129 SYN ******S* 
Jan 22 04:41:37 163.27.5.154:3785 -> aaa.bbb.ccc.44:6129 SYN ******S* 
Jan 22 04:41:38 163.27.5.154:3787 -> aaa.bbb.ccc.45:6129 SYN ******S* 
Jan 22 04:41:39 163.27.5.154:4600 -> aaa.bbb.ccc.201:6129 SYN ******S* 
Jan 22 04:41:41 163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 SYN ******S*

2.  The sequence numbers of the TCP packets remain the same


I can confirm that.  Here are a few packet captures from the same
event:

[**] [1:0:0] HP LaserJet Attack-501B [**]
[Priority: 0] 
01/22-04:41:40.299088 FF:FF:FF:FF:FF:FF -> 00:00:00:00:00:00 type:0x800 len:0x3E
163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 TCP TTL:113 TOS:0x0 ID:40978 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1D184A7  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

[**] [1:0:0] HP LaserJet Attack-501B [**]
[Priority: 0] 
01/22-04:41:41.020419 FF:FF:FF:FF:FF:FF -> 00:00:00:00:00:00 type:0x800 len:0x3E
163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 TCP TTL:113 TOS:0x0 ID:41276 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1D184A7  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

[**] [1:0:0] HP LaserJet Attack-501B [**]
[Priority: 0] 
01/22-04:41:41.724744 FF:FF:FF:FF:FF:FF -> 00:00:00:00:00:00 type:0x800 len:0x3E
163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 TCP TTL:113 TOS:0x0 ID:41579 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1D184A7  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
  - RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
  - RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)