dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3594

dvd536
as Mr. Pink as they come
Premium Member
join:2001-04-27
Phoenix, AZ

dvd536

Premium Member

Port 6129

Anyone else seeing lots of hits on port 6129? getting tons of them from all different IP's

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by dvd536:
Anyone else seeing lots of hits on port 6129? getting tons of them from all different IP's
Ever the pedantic one, there is no such thing as "Port 6129" - "port numbers" are meaningless without being associated with a protocol.

You probably mean 6129/tcp or 6129/udp

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger to dvd536

MVM

to dvd536
Yes, the honey pots are up and waiting for this one (and a bunch of others as there have been some interesting scans lately) as we have seen the increase as well. I suspect that what we are seeing is scans for Dameware ( www.dameware.com ) which is a remote administration product (think PCAnyWhere for example) used to control compromised systems. We should have a capture soon and hopefully it will confirm what the traffic is.

Blake

dvd536
as Mr. Pink as they come
Premium Member
join:2001-04-27
Phoenix, AZ

dvd536 to Steve

Premium Member

to Steve
said by Steve:
said by dvd536:
Anyone else seeing lots of hits on port 6129? getting tons of them from all different IP's
Ever the pedantic one, there is no such thing as "Port 6129" - "port numbers" are meaningless without being associated with a protocol.

You probably mean 6129/tcp or 6129/udp

Sorry for that. its TCP and flags are S

Bubba
GIT-R-DONE
MVM
join:2002-08-19
St. Andrews

Bubba to dvd536

MVM

to dvd536
According to Dshield.org....it was fairly silent until the 20th Dec.

Port Report 6129

POB
Res Firma Mitescere Nescit
Premium Member
join:2003-02-13
Stepford, CA

2 recommendations

POB to Steve

Premium Member

to Steve
said by Steve:
Ever the pedantic one, there is no such thing as "Port 6129" - "port numbers" are meaningless without being associated with a protocol.

You probably mean 6129/tcp or 6129/udp

Give the guy a break. You knew what he meant. I think you've crossed the line from "pedantic" to churl.
JesterAR
join:2002-09-06
Fairfax, VA

JesterAR

Member

Probably related to »www.securiteam.com/windo ··· 95I.html
and/or »www.k-otik.com/exploits/ ··· me.c.php.

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 edit

Link Logger to dvd536

MVM

to dvd536
So far all we have seen are half open scans, so they are currently just looking to see who has this port open, but hopefully at sometime they come back to us as our TCP port 6129 is open

I should add for JesterOK the scans have all been TCP scans so far.

Blake
Link Logger

1 edit

Link Logger to dvd536

MVM

to dvd536
Their getting braver as we had one connection attempt instead of the usual half open scan.

Dec 23, 2003 13:11:37.451 UTC - (TCP) 68.21.192.217 : 4341 >>> 68.144.128.104 : 6129 Dameware

Blake
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

I've seen a handful of scans on this port (something like 6 IPs so far), nothing major yet. My firewall stealths so I don't know if it's half connection/port scans or "whole" connection attempts.

Illu-KFXP
@195.188.x.x

Illu-KFXP to Link Logger

Anon

to Link Logger
Port 6129 is the port for DameWare Remote Desktop. Dont worry about it

tubsyfella
@pol.co.uk

tubsyfella

Anon

its the newly relesed sub7.3 and a bit

Illu-KFXP
@195.188.x.x

Illu-KFXP

Anon

yes, it is.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to dvd536

MVM

to dvd536
Certainly if your running an unpatched version of Dameware then its something to worry about.

New SubSeven on this port? Any documentation for this?

Blake

lolo2
@annexus.ehess.fr

lolo2 to dvd536

Anon

to dvd536
i have these too,
it seems to be DameWare, recently exploited.
->
"Vulnerability Note VU#909678
DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets"