Dameware intrusion (was Increase in TCP 6129 (Dameware) scans?)

[allan.vanleeuwen () orangemail nl]

Hi there ....

If dameware is not somethng you normally use ... And it is the hackers point
of entry ...
Then how did dameware ever get installed ?
My guess is the boxes already got hacked in the past through some other
exploit (most likely a simple admin password and port 139/445 open)
Newbie hackers use dameware mini remote control in order to do their
installs. (for the not so knowledgable, remote control is easier then
writing an installation script). Either that ... Or someone on your internal
network has been using dameware without your knowledge. ... (he would need
an admin password in order to install the service on each box.)
You could check the DWRCS.INI to see if it was installed 'hidden' from the
user... That might tell you if the usage of dameware was a 'legit'purpose
...

-----Original Message-----
From: Train25 [mailto:sreddick () ns sympatico ca] 
Sent: vrijdag 23 januari 2004 0:32
To: incidents () securityfocus com
Subject: RE: Increase in TCP 6129 (Dameware) scans?


We have seen an increase on our local network as well and over the past 2
days. We had to ghost approx 80-85 pcs. We have found DWRCS.EXE,
DWRCK.DLL, DWRCS.INI, DWRCSET.DLL, DWRCShell.dll (dameware server files
which is not an app we have used) as well as Serv-U.cnt, start.bat (started
the serv-u ftp), ServUDaemon.ini, and firedeamon.exe all located in the
system32 folder on ALL machines. We can confirm there is an exploit out in
the wild for Dameware.
(http://www.security-corporation.com/download/exploit/DameWeird.c) We
currently set up 3 pcs with honeypots in order to trap and further
investigate. But as we have seen they are connecting to port 6129 and a
reverse shell is binding to a dictated port to the attackers pc. From there
we are seeing the attacker use ftp.exe to connect to a specified ftp and
upload files to our network pcs. Then they reconnect and run the start.bat
file which is automatically installing the ftp service and disabling the
dameware service which was running.

Sorry for the rambling but I thought I would update everyone on out initial
investigation.


---------------------------------------------------------------------------
----------------------------------------------------------------------------
===========================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
email..

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.
===========================================================



---------------------------------------------------------------------------
----------------------------------------------------------------------------