Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Increase in TCP 6129 (Dameware) scans?

From: "Lawrence Baldwin" <baldwinL () mynetwatchman com>
Date: Thu, 22 Jan 2004 12:15:14 -0500
One of our security notices made it's to an infected user who ran our
forensic tool (SecCheck), uncovered:

PID     4504   194.xx.yy.zzz:3361   63.89.60.1:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3362   63.89.60.2:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3363   63.89.60.3:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3364   63.89.60.4:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3365   63.89.60.5:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3366   63.89.60.6:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3367   63.89.60.7:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3368   63.89.60.8:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3369   63.89.60.9:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3370   63.89.60.10:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3371   63.89.60.11:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3372   63.89.60.12:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3373   63.89.60.13:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3374   63.89.60.14:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3375   63.89.60.15:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3376   63.89.60.16:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3377   63.89.60.17:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3378   63.89.60.18:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe
PID     4504   194.xx.yy.zzz:3379   63.89.60.19:6129     SYN_SENT
c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp\winlogon.
exe

There were no startup entries for the above app, but they did have a dropped
Serv-U:

Services running on local machine:
        PID 3180: Serv-U = "Serv-U FTP Server" /
"c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\comctl32.exe
"

I suspect this is the standard case where the remote-host-execution
capabilities of Serv-U are used to control the infected host to do batch
scanning.

Above collected with:
http://www.mynetwatchman.com/tools/sc

The end-user submitted the above anonmously so I have no way to get the
actual malware in hand.

Lawrence Baldwin
myNetWatchman.com
Atlanta, GA



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: