Security Incidents mailing list archives
Re: Dameware scans, worm?
From: "Russell J. Lahti" <russell () 911 net>
Date: Fri, 23 Jan 2004 12:35:18 -0500
Ben Nelson wrote:
Keith T. Morgan wrote:The interesting part about the scans is that they almost universally have a source port of 220, which to me indicates either worm activity or a canned scanner/exploit combo with a hard-coded source-port.Yes. I'm also seeing a large increase in tcp/6129 scans. All of the scans I am seeing also have a source port of 220, as you said. Scans are across multiple geographically dispersed class C's. The scans started mid-day yesterday for me.
After looking though our logs, here's an exact time frame for these scans against our networks: December 14th: Dameware Pre-Authentication Buffer Overflow posted on BugTraq. December 19th: Dameware exploit posted on BugTraq. December 21st: Beginning of wide-spread scanning for port 6129 on our networks. January 10th: 2nd Dameware exploit posted on BugTraq. January 16th: Start of scans originating from port 220. Kind regards, -Russell Lahti --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Dameware scans, worm? Keith T. Morgan (Jan 22)
- Re: Dameware scans, worm? Charles Hamby (Jan 22)
- Re: Dameware scans, worm? Ben Nelson (Jan 22)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- Re: Dameware scans, worm? KeyFocus (Jan 26)
- Re: Dameware scans, worm? Russell J. Lahti (Jan 23)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- <Possible follow-ups>
- Re: Dameware scans, worm? Steven M. Christey (Jan 26)