Security Incidents mailing list archives
RE: Increase in TCP 6129 (Dameware) scans?
From: Neil Dickey <neil () geol niu edu>
Date: Fri, 23 Jan 2004 09:18:08 -0600 (CST)
"Michael Wright" <mcwright () dbls com> wrote in part:
I believe the scanner is actually attempting a connection rather than simply gathering intelligence on infected hosts. The reason I believe this: 1. Source port appears to remain static
In my case this isn't what's happening. Here is an excerpt from my Snort portscan log: Jan 22 04:41:38 163.27.5.154:3641 -> aaa.bbb.ccc.2:6129 SYN ******S* Jan 22 04:41:37 163.27.5.154:3643 -> aaa.bbb.ccc.3:6129 SYN ******S* Jan 22 04:41:38 163.27.5.154:3653 -> aaa.bbb.ccc.6:6129 SYN ******S* Jan 22 04:41:36 163.27.5.154:3666 -> aaa.bbb.ccc.9:6129 SYN ******S* Jan 22 04:41:36 163.27.5.154:3672 -> aaa.bbb.ccc.11:6129 SYN ******S* Jan 22 04:41:37 163.27.5.154:3771 -> aaa.bbb.ccc.40:6129 SYN ******S* Jan 22 04:41:37 163.27.5.154:3781 -> aaa.bbb.ccc.43:6129 SYN ******S* Jan 22 04:41:37 163.27.5.154:3785 -> aaa.bbb.ccc.44:6129 SYN ******S* Jan 22 04:41:38 163.27.5.154:3787 -> aaa.bbb.ccc.45:6129 SYN ******S* Jan 22 04:41:39 163.27.5.154:4600 -> aaa.bbb.ccc.201:6129 SYN ******S* Jan 22 04:41:41 163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 SYN ******S*
2. The sequence numbers of the TCP packets remain the same
I can confirm that. Here are a few packet captures from the same event: [**] [1:0:0] HP LaserJet Attack-501B [**] [Priority: 0] 01/22-04:41:40.299088 FF:FF:FF:FF:FF:FF -> 00:00:00:00:00:00 type:0x800 len:0x3E 163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 TCP TTL:113 TOS:0x0 ID:40978 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1D184A7 Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [**] [1:0:0] HP LaserJet Attack-501B [**] [Priority: 0] 01/22-04:41:41.020419 FF:FF:FF:FF:FF:FF -> 00:00:00:00:00:00 type:0x800 len:0x3E 163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 TCP TTL:113 TOS:0x0 ID:41276 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1D184A7 Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [**] [1:0:0] HP LaserJet Attack-501B [**] [Priority: 0] 01/22-04:41:41.724744 FF:FF:FF:FF:FF:FF -> 00:00:00:00:00:00 type:0x800 len:0x3E 163.27.5.154:4746 -> aaa.bbb.ccc.227:6129 TCP TTL:113 TOS:0x0 ID:41579 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1D184A7 Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)