dvd536as Mr. Pink as they come Premium Member join:2001-04-27 Phoenix, AZ |
dvd536
Premium Member
2003-Dec-22 1:50 am
Port 6129Anyone else seeing lots of hits on port 6129? getting tons of them from all different IP's |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2003-Dec-22 1:51 am
said by dvd536: Anyone else seeing lots of hits on port 6129? getting tons of them from all different IP's
Ever the pedantic one, there is no such thing as "Port 6129" - "port numbers" are meaningless without being associated with a protocol. You probably mean 6129/ tcp or 6129/ udp |
|
1 recommendation |
to dvd536
Yes, the honey pots are up and waiting for this one (and a bunch of others as there have been some interesting scans lately) as we have seen the increase as well. I suspect that what we are seeing is scans for Dameware ( www.dameware.com ) which is a remote administration product (think PCAnyWhere for example) used to control compromised systems. We should have a capture soon and hopefully it will confirm what the traffic is.
Blake |
|
dvd536as Mr. Pink as they come Premium Member join:2001-04-27 Phoenix, AZ |
to Steve
said by Steve:
said by dvd536: Anyone else seeing lots of hits on port 6129? getting tons of them from all different IP's
Ever the pedantic one, there is no such thing as "Port 6129" - "port numbers" are meaningless without being associated with a protocol.
You probably mean 6129/tcp or 6129/udp
Sorry for that. its TCP and flags are S |
|
BubbaGIT-R-DONE MVM join:2002-08-19 St. Andrews |
to dvd536
According to Dshield.org....it was fairly silent until the 20th Dec. Port Report 6129 |
|
|
POBRes Firma Mitescere Nescit Premium Member join:2003-02-13 Stepford, CA
2 recommendations |
POB to Steve
Premium Member
2003-Dec-22 9:27 pm
to Steve
said by Steve: Ever the pedantic one, there is no such thing as "Port 6129" - "port numbers" are meaningless without being associated with a protocol.
You probably mean 6129/tcp or 6129/udp
Give the guy a break. You knew what he meant. I think you've crossed the line from "pedantic" to churl. |
|
|
|
|
1 edit |
to dvd536
So far all we have seen are half open scans, so they are currently just looking to see who has this port open, but hopefully at sometime they come back to us as our TCP port 6129 is open I should add for JesterOK the scans have all been TCP scans so far. Blake |
|
Link Logger 1 edit |
to dvd536
Their getting braver as we had one connection attempt instead of the usual half open scan.
Dec 23, 2003 13:11:37.451 UTC - (TCP) 68.21.192.217 : 4341 >>> 68.144.128.104 : 6129 Dameware
Blake |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2003-Dec-23 2:49 pm
I've seen a handful of scans on this port (something like 6 IPs so far), nothing major yet. My firewall stealths so I don't know if it's half connection/port scans or "whole" connection attempts. |
|
|
to Link Logger
Port 6129 is the port for DameWare Remote Desktop. Dont worry about it |
|
|
tubsyfella
Anon
2004-Jan-1 11:29 pm
its the newly relesed sub7.3 and a bit |
|
|
Illu-KFXP
Anon
2004-Jan-1 11:31 pm
yes, it is. |
|
|
to dvd536
Certainly if your running an unpatched version of Dameware then its something to worry about.
New SubSeven on this port? Any documentation for this?
Blake |
|
|
lolo2 to dvd536
Anon
2004-Jan-5 6:28 am
to dvd536
i have these too, it seems to be DameWare, recently exploited. -> "Vulnerability Note VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets" |
|