Security Incidents mailing list archives
Dameware scans, worm?
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Thu, 22 Jan 2004 10:43:54 -0500
We've seen an increase in scans for dameware (tcp 6129) over the past four days. I believe there was an exploit released for dameware, but I'm unaware of it's behavior. A colleague first noticed these across multiple class C networks scanning consecutive IPs, and we have been seeing the same type of activity. The interesting part about the scans is that they almost universally have a source port of 220, which to me indicates either worm activity or a canned scanner/exploit combo with a hard-coded source-port. Anyone else seeing an increase in these? ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Dameware scans, worm? Keith T. Morgan (Jan 22)
- Re: Dameware scans, worm? Charles Hamby (Jan 22)
- Re: Dameware scans, worm? Ben Nelson (Jan 22)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- Re: Dameware scans, worm? KeyFocus (Jan 26)
- Re: Dameware scans, worm? Russell J. Lahti (Jan 23)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- <Possible follow-ups>
- Re: Dameware scans, worm? Steven M. Christey (Jan 26)