Security Incidents mailing list archives
RE: Increase in TCP 6129 (Dameware) scans?
From: "Lawrence Baldwin" <baldwinL () mynetwatchman com>
Date: Thu, 22 Jan 2004 12:15:14 -0500
One of our security notices made it's to an infected user who ran our forensic tool (SecCheck), uncovered: PID 4504 194.xx.yy.zzz:3361 63.89.60.1:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3362 63.89.60.2:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3363 63.89.60.3:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3364 63.89.60.4:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3365 63.89.60.5:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3366 63.89.60.6:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3367 63.89.60.7:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3368 63.89.60.8:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3369 63.89.60.9:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3370 63.89.60.10:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3371 63.89.60.11:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3372 63.89.60.12:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3373 63.89.60.13:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3374 63.89.60.14:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3375 63.89.60.15:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3376 63.89.60.16:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3377 63.89.60.17:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3378 63.89.60.18:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe PID 4504 194.xx.yy.zzz:3379 63.89.60.19:6129 SYN_SENT c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon. exe There were no startup entries for the above app, but they did have a dropped Serv-U: Services running on local machine: PID 3180: Serv-U = "Serv-U FTP Server" / "c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\comctl32.exe " I suspect this is the standard case where the remote-host-execution capabilities of Serv-U are used to control the infected host to do batch scanning. Above collected with: http://www.mynetwatchman.com/tools/sc The end-user submitted the above anonmously so I have no way to get the actual malware in hand. Lawrence Baldwin myNetWatchman.com Atlanta, GA --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)