RE: Increase in TCP 6129 (Dameware) scans?

["Train25" <sreddick () ns sympatico ca>]

We have seen an increase on our local network as well and over the past 2
days. We had to ghost approx 80-85 pcs. We have found DWRCS.EXE,
DWRCK.DLL, DWRCS.INI, DWRCSET.DLL, DWRCShell.dll (dameware server files
which is not an app we have used) as well as Serv-U.cnt, start.bat (started
the serv-u ftp), ServUDaemon.ini, and firedeamon.exe all located in the
system32 folder on ALL machines. We can confirm there is an exploit out in
the wild for Dameware.
(http://www.security-corporation.com/download/exploit/DameWeird.c) We
currently set up 3 pcs with honeypots in order to trap and further
investigate. But as we have seen they are connecting to port 6129 and a
reverse shell is binding to a dictated port to the attackers pc. From there
we are seeing the attacker use ftp.exe to connect to a specified ftp and
upload files to our network pcs. Then they reconnect and run the start.bat
file which is automatically installing the ftp service and disabling the
dameware service which was running.

Sorry for the rambling but I thought I would update everyone on out initial
investigation.


---------------------------------------------------------------------------
----------------------------------------------------------------------------