Re: Dameware scans, worm?
From: Charles Hamby (fixer_at_gci.net)
Date: 01/22/04
- Previous message: Remko Lodder: "RE: [Securityfocus-incidents] Dameware scans, worm?"
- In reply to: Keith T. Morgan: "Dameware scans, worm?"
- Next in thread: Ben Nelson: "Re: Dameware scans, worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Jan 2004 07:52:37 -0900 To: "Keith T. Morgan" <keith.morgan@terradon.com>
We've also seen a huge increase in dameware scans, but not all of them
have been from source port 220. What we've been seeing is a mix of
scans that are 220 some that show up in the 1000 range and still others
strictly show up only in the 4000 range For example:
[**] [1:0:0] DameWare Remote Agent Scan. [**]
[Priority: 0]
01/21-09:36:28.664230 12.216.178.193:1415 -> w.x.y.z:6129
TCP TTL:116 TOS:0x0 ID:37387 IpLen:20 DgmLen:48 DF
******S* Seq: 0xBD91B99F Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
and
[**] [1:0:0] DameWare Remote Agent Scan. [**]
[Priority: 0]
01/21-23:30:28.845245 66.102.199.99:220 -> w.x.y.z:6129
TCP TTL:112 TOS:0x0 ID:6447 IpLen:20 DgmLen:40
******S* Seq: 0x5EE5 Ack: 0x5EE5 Win: 0x4000 TcpLen: 20
and
[**] [1:0:0] DameWare Remote Agent Scan. [**]
[Priority: 0]
01/22-00:02:47.429139 61.130.20.178:4727 -> w.x.y.z:6129
TCP TTL:109 TOS:0x0 ID:59562 IpLen:20 DgmLen:48 DF
******S* Seq: 0x111BFE3 Ack: 0x0 Win: 0xFAF0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
I think, as you suggest, that these may just represent different tools
that are being used. I haven't had a chance to look at the original
exploit that was release for this vuln to see what sort of signature it
gives. Anyone done that?
-cdh
Keith T. Morgan wrote:
>We've seen an increase in scans for dameware (tcp 6129) over the past
>four days. I believe there was an exploit released for dameware, but
>I'm unaware of it's behavior. A colleague first noticed these across
>multiple class C networks scanning consecutive IPs, and we have been
>seeing the same type of activity.
>
>The interesting part about the scans is that they almost universally
>have a source port of 220, which to me indicates either worm activity or
>a canned scanner/exploit combo with a hard-coded source-port.
>
>Anyone else seeing an increase in these?
>
>**************************************************************************************************
>The contents of this email and any attachments are confidential.
>It is intended for the named recipient(s) only.
>If you have received this email in error please notify the system manager or the
>sender immediately and do not disclose the contents to anyone or make copies.
>
>** this message has been scanned for viruses, vandals and malicious content **
>**************************************************************************************************
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Remko Lodder: "RE: [Securityfocus-incidents] Dameware scans, worm?"
- In reply to: Keith T. Morgan: "Dameware scans, worm?"
- Next in thread: Ben Nelson: "Re: Dameware scans, worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
