Security Incidents mailing list archives

Re: Dameware scans, worm?

From: Charles Hamby <fixer () gci net>
Date: Thu, 22 Jan 2004 07:52:37 -0900

We've also seen a huge increase in dameware scans, but not all of themhave been from source port 220. What we've been seeing is a mix ofscans that are 220 some that show up in the 1000 range and still othersstrictly show up only in the 4000 range For example:


[**] [1:0:0] DameWare Remote Agent Scan. [**]

[Priority: 0]01/21-09:36:28.664230 12.216.178.193:1415 -> w.x.y.z:6129

TCP TTL:116 TOS:0x0 ID:37387 IpLen:20 DgmLen:48 DF
******S* Seq: 0xBD91B99F  Ack: 0x0  Win: 0x4000  TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK

and

[**] [1:0:0] DameWare Remote Agent Scan. [**]

[Priority: 0]01/21-23:30:28.845245 66.102.199.99:220 -> w.x.y.z:6129

TCP TTL:112 TOS:0x0 ID:6447 IpLen:20 DgmLen:40
******S* Seq: 0x5EE5  Ack: 0x5EE5  Win: 0x4000  TcpLen: 20

and

[**] [1:0:0] DameWare Remote Agent Scan. [**]

[Priority: 0]01/22-00:02:47.429139 61.130.20.178:4727 -> w.x.y.z:6129

TCP TTL:109 TOS:0x0 ID:59562 IpLen:20 DgmLen:48 DF
******S* Seq: 0x111BFE3  Ack: 0x0  Win: 0xFAF0  TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK

I think, as you suggest, that these may just represent different toolsthat are being used. I haven't had a chance to look at the originalexploit that was release for this vuln to see what sort of signature itgives. Anyone done that?


-cdh


Keith T. Morgan wrote:

We've seen an increase in scans for dameware (tcp 6129) over the past
four days.  I believe there was an exploit released for dameware, but
I'm unaware of it's behavior.  A colleague first noticed these across
multiple class C networks scanning consecutive IPs, and we have been
seeing the same type of activity.

The interesting part about the scans is that they almost universally
have a source port of 220, which to me indicates either worm activity or
a canned scanner/exploit combo with a hard-coded source-port.

Anyone else seeing an increase in these?

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.

If you have received this email in error please notify the system manager or thesender immediately and do not disclose the contents to anyone or make copies.


** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Dameware scans, worm? Keith T. Morgan (Jan 22)
- Re: Dameware scans, worm? Charles Hamby (Jan 22)
- Re: Dameware scans, worm? Ben Nelson (Jan 22)
  - Re: Dameware scans, worm? Chip Mefford (Jan 23)
    - Re: Dameware scans, worm? KeyFocus (Jan 26)
  - Re: Dameware scans, worm? Russell J. Lahti (Jan 23)
- <Possible follow-ups>
- Re: Dameware scans, worm? Steven M. Christey (Jan 26)