Security Incidents mailing list archives
Re: Dameware scans, worm?
From: Ben Nelson <lists () venom600 org>
Date: Thu, 22 Jan 2004 09:58:47 -0700
Keith T. Morgan wrote:
We've seen an increase in scans for dameware (tcp 6129) over the past four days. I believe there was an exploit released for dameware, but I'm unaware of it's behavior. A colleague first noticed these across multiple class C networks scanning consecutive IPs, and we have been seeing the same type of activity. The interesting part about the scans is that they almost universally have a source port of 220, which to me indicates either worm activity or a canned scanner/exploit combo with a hard-coded source-port. Anyone else seeing an increase in these?
Yes. I'm also seeing a large increase in tcp/6129 scans. All of the scans I am seeing also have a source port of 220, as you said. Scans are across multiple geographically dispersed class C's. The scans started mid-day yesterday for me.
--Ben --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Dameware scans, worm? Keith T. Morgan (Jan 22)
- Re: Dameware scans, worm? Charles Hamby (Jan 22)
- Re: Dameware scans, worm? Ben Nelson (Jan 22)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- Re: Dameware scans, worm? KeyFocus (Jan 26)
- Re: Dameware scans, worm? Russell J. Lahti (Jan 23)
- Re: Dameware scans, worm? Chip Mefford (Jan 23)
- <Possible follow-ups>
- Re: Dameware scans, worm? Steven M. Christey (Jan 26)