Security Incidents mailing list archives
RE: Increase in TCP 6129 (Dameware) scans?
From: "Michael Wright" <mcwright () dbls com>
Date: Thu, 22 Jan 2004 13:43:29 -0500
I started a packet capture two hours ago. Below is an example of what I'm seeing: Isabel# tcpdump -i xl1 dst port 6129 tcpdump: WARNING: xl1: no IPv4 address assigned tcpdump: listening on xl1 12:27:38.205925 cs24242124-9.sport.rr.com.imap3 > XXX.XXXX.com.6129: S 27975:27975(0) win 16384 12:28:18.098035 cs24242124-9.sport.rr.com.imap3 > XXX.XXXX.com.6129: S 27975:27975(0) win 16384 12:28:26.106805 cs24242124-9.sport.rr.com.imap3 > X.X.X.169.6129: S 27975:27975(0) win 16384 12:28:34.105322 cs24242124-9.sport.rr.com.imap3 > X.X.X.170.6129: S 27975:27975(0) win 16384 12:28:58.002134 cs24242124-9.sport.rr.com.imap3 > XXX.XXXX.com.6129: S 27975:27975(0) win 16384 13:14:23.408941 user-24-214-18-37.knology.net.imap3 > X.X.X.34.6129: S 11245:11245(0) win 16384 13:14:28.704245 user-24-214-18-37.knology.net.imap3 > X.X.X.35.6129: S 11245:11245(0) win 16384 13:14:55.122317 user-24-214-18-37.knology.net.imap3 > X.X.X.40.6129: S 11245:11245(0) win 16384 13:15:26.877604 user-24-214-18-37.knology.net.imap3 > X.X.X.46.6129: S 11245:11245(0) win 16384 13:15:48.558730 user-24-214-18-37.knology.net.imap3 > X.X.X.50.6129: S 11245:11245(0) win 16384 13:16:14.972610 user-24-214-18-37.knology.net.imap3 > X.X.X.55.6129: S 11245:11245(0) win 16384 13:17:28.999331 user-24-214-18-37.knology.net.imap3 > X.X.X.69.6129: S 11245:11245(0) win 16384 13:17:44.896070 user-24-214-18-37.knology.net.imap3 > X.X.X.72.6129: S 11245:11245(0) win 16384 13:18:00.754860 user-24-214-18-37.knology.net.imap3 > X.X.X.75.6129: S 11245:11245(0) win 16384 13:18:18.255556 user-24-214-18-37.knology.net.imap3 > X.X.X.78.6129: S 11245:11245(0) win 16384 13:18:23.573854 user-24-214-18-37.knology.net.imap3 > X.X.X.79.6129: S 11245:11245(0) win 16384 13:25:32.047576 user-24-214-18-37.knology.net.imap3 > X.X.X.160.6129: S 11245:11245(0) win 16384 13:25:37.329666 user-24-214-18-37.knology.net.imap3 > X.X.X.161.6129: S 11245:11245(0) win 16384 13:25:42.602150 user-24-214-18-37.knology.net.imap3 > XXX.XXXX.com.6129: S 11245:11245(0) win 16384 13:25:53.167831 user-24-214-18-37.knology.net.imap3 > X.X.X.164.6129: S 11245:11245(0) win 16384 13:26:19.551182 user-24-214-18-37.knology.net.imap3 > X.X.X.169.6129: S 11245:11245(0) win 16384 13:26:30.123451 user-24-214-18-37.knology.net.imap3 > XXX.XXXX.com.6129: S 11245:11245(0) win 16384 13:26:45.998084 user-24-214-18-37.knology.net.imap3 > X.X.X.174.6129: S 11245:11245(0) win 16384 Some new findings: - TCP window size seems to be consistent at 16384 (this is Windows 2000 and XP default window size I believe). - Byte count = zero - Flags = Syn I'll have better findings after a 24-hour period of collection. I believe the scanner is actually attempting a connection rather than simply gathering intelligence on infected hosts. The reason I believe this: 1. Source port appears to remain static 2. The sequence numbers of the TCP packets remain the same If it were merely logging infected hosts to a database for later compromise, I assume it would increment the source port by one and also increment the sequence number so that multiple sessions could be listening/logging for speed and efficiency. Although the "single connection attempt" you've noticed contradicts this a bit. More as I find it. -M
-----Original Message----- From: Kevin Patz [mailto:jambo_cat () yahoo com] Sent: Thursday, January 22, 2004 1:19 PM To: mcwright () dbls com Cc: incidents () securityfocus com Subject: RE: Increase in TCP 6129 (Dameware) scans? --- Michael Wright <mcwright () dbls com> wrote:I'm seeing similar scans on multiple firewalls. Interesting findings: 1. Port 220 seems to be a popular source port for the scans.I noticed the same thing after posting my original inquiry.2. It's a slow scan (presumably due to a single source port and TCP utilization rather than UDP)Makes sense. Another thing I noticed, since my firewall drops unauthorized SYN packets, the source-220 scans only make one attempt, rather than the 2 or 3 tries that most applications requesting TCP connections make (including scans I've seen to 6129 with ephemeral source ports). Also, with the single source port, I bet these scans are just sniffing for machines that are listening on the port, rather than attempting to establish a connection--a TCP war-dialer of sorts. Tonight I'll set up a listener on the port to see how the scanners respond to an open port.I'm currently seeing roughly 1800+ attempts per day, per firewall.I have a single IP (cable modem) so I typically only see one (or maybe two) scans per source IP. Today's count is 37 so far. I had 50 yesterday. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Lawrence Baldwin (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Brian Collins (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Jordan Wiens (Jan 22)
- <Possible follow-ups>
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Kevin Patz (Jan 22)
- Re: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Train25 (Jan 23)
- RE: Increase in TCP 6129 (Dameware) scans? Michael Wright (Jan 22)
- RE: Increase in TCP 6129 (Dameware) scans? Neil Dickey (Jan 23)