Security Incidents mailing list archives

RE: Increase in TCP 6129 (Dameware) scans?

From: "Michael Wright" <mcwright () dbls com>
Date: Thu, 22 Jan 2004 13:43:29 -0500

I started a packet capture two hours ago.  Below is an example of what I'm
seeing:

Isabel# tcpdump -i xl1 dst port 6129
tcpdump: WARNING: xl1: no IPv4 address assigned
tcpdump: listening on xl1
12:27:38.205925 cs24242124-9.sport.rr.com.imap3 > XXX.XXXX.com.6129: S
27975:27975(0) win 16384
12:28:18.098035 cs24242124-9.sport.rr.com.imap3 > XXX.XXXX.com.6129: S
27975:27975(0) win 16384
12:28:26.106805 cs24242124-9.sport.rr.com.imap3 > X.X.X.169.6129: S
27975:27975(0) win 16384
12:28:34.105322 cs24242124-9.sport.rr.com.imap3 > X.X.X.170.6129: S
27975:27975(0) win 16384
12:28:58.002134 cs24242124-9.sport.rr.com.imap3 > XXX.XXXX.com.6129: S
27975:27975(0) win 16384
13:14:23.408941 user-24-214-18-37.knology.net.imap3 > X.X.X.34.6129: S
11245:11245(0) win 16384
13:14:28.704245 user-24-214-18-37.knology.net.imap3 > X.X.X.35.6129: S
11245:11245(0) win 16384
13:14:55.122317 user-24-214-18-37.knology.net.imap3 > X.X.X.40.6129: S
11245:11245(0) win 16384
13:15:26.877604 user-24-214-18-37.knology.net.imap3 > X.X.X.46.6129: S
11245:11245(0) win 16384
13:15:48.558730 user-24-214-18-37.knology.net.imap3 > X.X.X.50.6129: S
11245:11245(0) win 16384
13:16:14.972610 user-24-214-18-37.knology.net.imap3 > X.X.X.55.6129: S
11245:11245(0) win 16384
13:17:28.999331 user-24-214-18-37.knology.net.imap3 > X.X.X.69.6129: S
11245:11245(0) win 16384
13:17:44.896070 user-24-214-18-37.knology.net.imap3 > X.X.X.72.6129: S
11245:11245(0) win 16384
13:18:00.754860 user-24-214-18-37.knology.net.imap3 > X.X.X.75.6129: S
11245:11245(0) win 16384
13:18:18.255556 user-24-214-18-37.knology.net.imap3 > X.X.X.78.6129: S
11245:11245(0) win 16384
13:18:23.573854 user-24-214-18-37.knology.net.imap3 > X.X.X.79.6129: S
11245:11245(0) win 16384
13:25:32.047576 user-24-214-18-37.knology.net.imap3 > X.X.X.160.6129: S
11245:11245(0) win 16384
13:25:37.329666 user-24-214-18-37.knology.net.imap3 > X.X.X.161.6129: S
11245:11245(0) win 16384
13:25:42.602150 user-24-214-18-37.knology.net.imap3 > XXX.XXXX.com.6129: S
11245:11245(0) win 16384
13:25:53.167831 user-24-214-18-37.knology.net.imap3 > X.X.X.164.6129: S
11245:11245(0) win 16384
13:26:19.551182 user-24-214-18-37.knology.net.imap3 > X.X.X.169.6129: S
11245:11245(0) win 16384
13:26:30.123451 user-24-214-18-37.knology.net.imap3 > XXX.XXXX.com.6129: S
11245:11245(0) win 16384
13:26:45.998084 user-24-214-18-37.knology.net.imap3 > X.X.X.174.6129: S
11245:11245(0) win 16384

Some new findings:  

- TCP window size seems to be consistent at 16384 (this is Windows 2000 and
XP default window size I believe).  
- Byte count = zero
- Flags = Syn

I'll have better findings after a 24-hour period of collection.

I believe the scanner is actually attempting a connection rather than simply
gathering intelligence on infected hosts.  The reason I believe this:

1.  Source port appears to remain static
2.  The sequence numbers of the TCP packets remain the same

If it were merely logging infected hosts to a database for later compromise,
I assume it would increment the source port by one and also increment the
sequence number so that multiple sessions could be listening/logging for
speed and efficiency.  Although the "single connection attempt" you've
noticed contradicts this a bit.  

More as I find it. 

-M

-----Original Message-----
From: Kevin Patz [mailto:jambo_cat () yahoo com] 
Sent: Thursday, January 22, 2004 1:19 PM
To: mcwright () dbls com
Cc: incidents () securityfocus com
Subject: RE: Increase in TCP 6129 (Dameware) scans?



--- Michael Wright <mcwright () dbls com> wrote:

I'm seeing similar scans on multiple firewalls.

Interesting findings:

1.  Port 220 seems to be a popular source port for
the scans.


I noticed the same thing after posting my original
inquiry.

2.  It's a slow scan (presumably due to a single
source port and TCP
utilization rather than UDP)


Makes sense.  Another thing I noticed, since my
firewall drops unauthorized SYN packets, the
source-220 scans only make one attempt, rather than
the 2 or 3 tries that most applications requesting TCP
connections make (including scans I've seen to 6129
with ephemeral source ports).

Also, with the single source port, I bet these scans
are just sniffing for machines that are listening on
the port, rather than attempting to establish a
connection--a TCP war-dialer of sorts.  Tonight I'll
set up a listener on the port to see how the scanners
respond to an open port.

I'm currently seeing roughly 1800+ attempts per day,
per firewall.


I have a single IP (cable modem) so I typically only
see one (or maybe two) scans per source IP.  Today's
count is 37 so far.  I had 50 yesterday.


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
  - RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
  - RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)