Security Incidents mailing list archives
Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?)
From: allan.vanleeuwen () orangemail nl
Date: Fri, 23 Jan 2004 17:21:52 +0100
Hi there .... If dameware is not somethng you normally use ... And it is the hackers point of entry ... Then how did dameware ever get installed ? My guess is the boxes already got hacked in the past through some other exploit (most likely a simple admin password and port 139/445 open) Newbie hackers use dameware mini remote control in order to do their installs. (for the not so knowledgable, remote control is easier then writing an installation script). Either that ... Or someone on your internal network has been using dameware without your knowledge. ... (he would need an admin password in order to install the service on each box.) You could check the DWRCS.INI to see if it was installed 'hidden' from the user... That might tell you if the usage of dameware was a 'legit'purpose ... -----Original Message----- From: Train25 [mailto:sreddick () ns sympatico ca] Sent: vrijdag 23 januari 2004 0:32 To: incidents () securityfocus com Subject: RE: Increase in TCP 6129 (Dameware) scans? We have seen an increase on our local network as well and over the past 2 days. We had to ghost approx 80-85 pcs. We have found DWRCS.EXE, DWRCK.DLL, DWRCS.INI, DWRCSET.DLL, DWRCShell.dll (dameware server files which is not an app we have used) as well as Serv-U.cnt, start.bat (started the serv-u ftp), ServUDaemon.ini, and firedeamon.exe all located in the system32 folder on ALL machines. We can confirm there is an exploit out in the wild for Dameware. (http://www.security-corporation.com/download/exploit/DameWeird.c) We currently set up 3 pcs with honeypots in order to trap and further investigate. But as we have seen they are connecting to port 6129 and a reverse shell is binding to a dictated port to the attackers pc. From there we are seeing the attacker use ftp.exe to connect to a specified ftp and upload files to our network pcs. Then they reconnect and run the start.bat file which is automatically installing the ftp service and disabling the dameware service which was running. Sorry for the rambling but I thought I would update everyone on out initial investigation. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- =========================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email.. The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email. =========================================================== --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?) allan . vanleeuwen (Jan 23)
- RE: Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?) Train25 (Jan 26)