Security Incidents mailing list archives

Re: Dameware scans, worm?

From: "Russell J. Lahti" <russell () 911 net>
Date: Fri, 23 Jan 2004 12:35:18 -0500

Ben Nelson wrote:

Keith T. Morgan wrote:
The interesting part about the scans is that they almost universally
have a source port of 220, which to me indicates either worm activity or
a canned scanner/exploit combo with a hard-coded source-port.
Yes. I'm also seeing a large increase in tcp/6129 scans. All of thescans I am seeing also have a source port of 220, as you said. Scansare across multiple geographically dispersed class C's. The scansstarted mid-day yesterday for me.


After looking though our logs, here's an exact
time frame for these scans against our networks:

December 14th: Dameware Pre-Authentication
               Buffer Overflow posted on BugTraq.

December 19th: Dameware exploit posted on BugTraq.

December 21st: Beginning of wide-spread scanning for
               port 6129 on our networks.

January  10th: 2nd Dameware exploit posted on BugTraq.

January  16th: Start of scans originating from port 220.


Kind regards,

-Russell Lahti


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Dameware scans, worm? Keith T. Morgan (Jan 22)
- Re: Dameware scans, worm? Charles Hamby (Jan 22)
- Re: Dameware scans, worm? Ben Nelson (Jan 22)
  - Re: Dameware scans, worm? Chip Mefford (Jan 23)
    - Re: Dameware scans, worm? KeyFocus (Jan 26)
  - Re: Dameware scans, worm? Russell J. Lahti (Jan 23)
- <Possible follow-ups>
- Re: Dameware scans, worm? Steven M. Christey (Jan 26)