Security Incidents mailing list archives
Re: Dameware scans, worm?
From: Charles Hamby <fixer () gci net>
Date: Thu, 22 Jan 2004 07:52:37 -0900
We've also seen a huge increase in dameware scans, but not all of them have been from source port 220. What we've been seeing is a mix of scans that are 220 some that show up in the 1000 range and still others strictly show up only in the 4000 range For example:
[**] [1:0:0] DameWare Remote Agent Scan. [**][Priority: 0] 01/21-09:36:28.664230 12.216.178.193:1415 -> w.x.y.z:6129
TCP TTL:116 TOS:0x0 ID:37387 IpLen:20 DgmLen:48 DF ******S* Seq: 0xBD91B99F Ack: 0x0 Win: 0x4000 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK
and [**] [1:0:0] DameWare Remote Agent Scan. [**][Priority: 0] 01/21-23:30:28.845245 66.102.199.99:220 -> w.x.y.z:6129
TCP TTL:112 TOS:0x0 ID:6447 IpLen:20 DgmLen:40 ******S* Seq: 0x5EE5 Ack: 0x5EE5 Win: 0x4000 TcpLen: 20and
[**] [1:0:0] DameWare Remote Agent Scan. [**][Priority: 0] 01/22-00:02:47.429139 61.130.20.178:4727 -> w.x.y.z:6129
TCP TTL:109 TOS:0x0 ID:59562 IpLen:20 DgmLen:48 DF ******S* Seq: 0x111BFE3 Ack: 0x0 Win: 0xFAF0 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOK
I think, as you suggest, that these may just represent different tools that are being used. I haven't had a chance to look at the original exploit that was release for this vuln to see what sort of signature it gives. Anyone done that?
-cdh Keith T. Morgan wrote:
We've seen an increase in scans for dameware (tcp 6129) over the past four days. I believe there was an exploit released for dameware, but I'm unaware of it's behavior. A colleague first noticed these across multiple class C networks scanning consecutive IPs, and we have been seeing the same type of activity. The interesting part about the scans is that they almost universally have a source port of 220, which to me indicates either worm activity or a canned scanner/exploit combo with a hard-coded source-port. Anyone else seeing an increase in these? ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only.If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Dameware scans, worm? Keith T. Morgan (Jan 22)
- Re: Dameware scans, worm? Charles Hamby (Jan 22)
- Re: Dameware scans, worm? Ben Nelson (Jan 22)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- Re: Dameware scans, worm? KeyFocus (Jan 26)
- Re: Dameware scans, worm? Russell J. Lahti (Jan 23)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- <Possible follow-ups>
- Re: Dameware scans, worm? Steven M. Christey (Jan 26)