|
Full Disclosure
mailing list archives
Re: Anyone else exoeriencing blasts o' port 6129 TCP?
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Sat, 3 Jan 2004 11:35:35 -0800
Yep, got some Happy New Years traffic, although I wouldn't call it "blasts":
Jan 1 03:44:04 TCP: port 6129 connection attempt from 66.141.180.72:1616
Jan 1 05:35:16 TCP: port 6129 connection attempt from 212.125.229.164:54031
Jan 1 08:47:24 TCP: port 6129 connection attempt from 130.232.56.173:3560
Jan 1 09:28:19 TCP: port 6129 connection attempt from 203.202.187.211:2580
Jan 1 16:53:54 TCP: port 6129 connection attempt from 80.136.224.152:3414
Jan 2 00:48:25 TCP: port 6129 connection attempt from 80.100.90.53:41020
Jan 2 20:32:14 TCP: port 6129 connection attempt from 213.254.170.80:4778
Jan 3 03:28:28 TCP: port 6129 connection attempt from 80.81.125.227:32833
Jan 3 08:28:23 TCP: port 6129 connection attempt from 24.85.32.185:3007
All blocked of course; looks like a 'bot. Bet the sources are spoofed, but
if anyone wants to track 'em, go ahead ;-)
G
On or about 2004.01.03 09:37:38 +0000, Jim Race (caferace () well com) said:
I noticed some action the previous 48 hours, and on checking logs this
morning it seems that port 6129 (DameWare Remote Admin) was the common
factor. ISC seems to have it on the top of their trends list:
http://isc.sans.org/top10.html
hmmmm.
--
Gregory A. Gilliss, CISSP E-mail: greg () gilliss com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
| 
Intro
