Re: Dameware scans, worm?

From: Charles Hamby (fixer_at_gci.net)
Date: 01/22/04

  • Next message: Lawrence Baldwin: "RE: Increase in TCP 6129 (Dameware) scans?"
    Date: Thu, 22 Jan 2004 07:52:37 -0900
    To: "Keith T. Morgan" <keith.morgan@terradon.com>
    
    

    We've also seen a huge increase in dameware scans, but not all of them
    have been from source port 220. What we've been seeing is a mix of
    scans that are 220 some that show up in the 1000 range and still others
    strictly show up only in the 4000 range For example:

    [**] [1:0:0] DameWare Remote Agent Scan. [**]
    [Priority: 0]
    01/21-09:36:28.664230 12.216.178.193:1415 -> w.x.y.z:6129
    TCP TTL:116 TOS:0x0 ID:37387 IpLen:20 DgmLen:48 DF
    ******S* Seq: 0xBD91B99F Ack: 0x0 Win: 0x4000 TcpLen: 28
    TCP Options (4) => MSS: 1460 NOP NOP SackOK

    and

    [**] [1:0:0] DameWare Remote Agent Scan. [**]

    [Priority: 0]
    01/21-23:30:28.845245 66.102.199.99:220 -> w.x.y.z:6129
    TCP TTL:112 TOS:0x0 ID:6447 IpLen:20 DgmLen:40
    ******S* Seq: 0x5EE5 Ack: 0x5EE5 Win: 0x4000 TcpLen: 20

    and

    [**] [1:0:0] DameWare Remote Agent Scan. [**]
    [Priority: 0]
    01/22-00:02:47.429139 61.130.20.178:4727 -> w.x.y.z:6129
    TCP TTL:109 TOS:0x0 ID:59562 IpLen:20 DgmLen:48 DF
    ******S* Seq: 0x111BFE3 Ack: 0x0 Win: 0xFAF0 TcpLen: 28
    TCP Options (4) => MSS: 1460 NOP NOP SackOK

    I think, as you suggest, that these may just represent different tools
    that are being used. I haven't had a chance to look at the original
    exploit that was release for this vuln to see what sort of signature it
    gives. Anyone done that?

    -cdh

    Keith T. Morgan wrote:

    >We've seen an increase in scans for dameware (tcp 6129) over the past
    >four days. I believe there was an exploit released for dameware, but
    >I'm unaware of it's behavior. A colleague first noticed these across
    >multiple class C networks scanning consecutive IPs, and we have been
    >seeing the same type of activity.
    >
    >The interesting part about the scans is that they almost universally
    >have a source port of 220, which to me indicates either worm activity or
    >a canned scanner/exploit combo with a hard-coded source-port.
    >
    >Anyone else seeing an increase in these?
    >
    >**************************************************************************************************
    >The contents of this email and any attachments are confidential.
    >It is intended for the named recipient(s) only.
    >If you have received this email in error please notify the system manager or the
    >sender immediately and do not disclose the contents to anyone or make copies.
    >
    >** this message has been scanned for viruses, vandals and malicious content **
    >**************************************************************************************************
    >
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Lawrence Baldwin: "RE: Increase in TCP 6129 (Dameware) scans?"

    Relevant Pages

    • RE: [Securityfocus-incidents] Dameware scans, worm?
      ... Onderwerp: Dameware scans, worm? ... have a source port of 220, which to me indicates either worm activity or ... a canned scanner/exploit combo with a hard-coded source-port. ...
      (Incidents)
    • Re: Dameware scans, worm?
      ... I believe there was an exploit released for dameware, ... > have a source port of 220, which to me indicates either worm activity or ... scans I am seeing also have a source port of 220, ... are across multiple geographically dispersed class C's. ...
      (Incidents)
    • Dameware scans, worm?
      ... We've seen an increase in scans for dameware (tcp 6129) over the past ... have a source port of 220, which to me indicates either worm activity or ...
      (Incidents)
    • RE: Increase in TCP 6129 (Dameware) scans?
      ... I'm seeing similar scans on multiple firewalls. ... It's a slow scan (presumably due to a single source port and TCP ... This is certainly a scan and not improperly secured installations due to the ... which belongs to the Dameware Mini ...
      (Incidents)
    • RE: Increase in TCP 6129 (Dameware) scans?
      ... Source port appears to remain static ... TCP Options => MSS: 1460 NOP NOP SackOK ...
      (Incidents)