Security Incidents mailing list archives
Re: Dameware scans, worm?
From: "KeyFocus" <keyfocus () keyfocus net>
Date: Sun, 25 Jan 2004 19:49:14 -0000
The interesting part about the scans is that they almost universally have a source port of 220, which to me indicates either worm activity
or
a canned scanner/exploit combo with a hard-coded source-port.
The number of 6129 scans we have received has increased steadily through out the week. Only about half our scans come from port 220, the rest seem to be randomly selected. We put up a simply honepot on port 6129 that sends out the Dameware server binary banner. In some cases this has been followed by a second connection to 6129, this time trying sending data to initiate a Dameware protocol connection. In most cases the clients scan, but don't comeback. There may be a worm doing this in some cases, but the usual worm behaviour is to just blast away with its exploit straight away and move on to the next IP address. This could be script kiddies scanning the net and then picking a few systems to exploit. The client IPs seem to be coming from mostly home user accounts. We did a few scans of our visitors and they seem to be running script kiddie type services. e.g. Kazaa (very common), SlimFTPd from www.whitsoftdev.com and VNC. - Tom --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Dameware scans, worm? Keith T. Morgan (Jan 22)
- Re: Dameware scans, worm? Charles Hamby (Jan 22)
- Re: Dameware scans, worm? Ben Nelson (Jan 22)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- Re: Dameware scans, worm? KeyFocus (Jan 26)
- Re: Dameware scans, worm? Russell J. Lahti (Jan 23)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- <Possible follow-ups>
- Re: Dameware scans, worm? Steven M. Christey (Jan 26)