Re: Dameware scans, worm?

["KeyFocus" <keyfocus () keyfocus net>]

> > > The interesting part about the scans is that they almost universally
> > > have a source port of 220, which to me indicates either worm activity
or
> > > a canned scanner/exploit combo with a hard-coded source-port.
The number of 6129 scans we have received  has increased steadily through
out the week.
Only about half our scans come from port 220, the rest seem to be randomly
selected.
We put up a simply honepot on port 6129 that sends out the Dameware server
binary banner.

In some cases this has been followed by a second connection to 6129, this
time trying sending data to initiate a Dameware protocol connection.
In most cases the clients scan, but don't comeback.

There may be a worm doing this in some cases, but the usual worm behaviour
is to just blast away with its exploit straight away and move on to the next
IP address.
This could be script kiddies scanning the net and then picking a few systems
to exploit.

The client IPs seem to be coming from mostly home user accounts.

We did a few scans of our visitors and they seem to be running script kiddie
type services.
e.g. Kazaa (very common), SlimFTPd from www.whitsoftdev.com and VNC.

- Tom





---------------------------------------------------------------------------
----------------------------------------------------------------------------