[Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-03 Thread Jim Race
I noticed some action the previous 48 hours, and on checking logs this morning it seems that port 6129 (DameWare Remote Admin) was the common factor. ISC seems to have it on the top of their trends list: http://isc.sans.org/top10.html h. -jim __

Re: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-03 Thread Gregory A. Gilliss
Yep, got some Happy New Years traffic, although I wouldn't call it "blasts": Jan 1 03:44:04 TCP: port 6129 connection attempt from 66.141.180.72:1616 Jan 1 05:35:16 TCP: port 6129 connection attempt from 212.125.229.164:54031 Jan 1 08:47:24 TCP: port 6129 connection attempt from 130.232.56.173:

Re: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-03 Thread Klaus Lichtenwalder
These are my results, since last sunday, 3:00 CUT: the ip's originating the probe: 2 12.18.102.139 2 129.24.31.243 2 193.175.236.28 2 194.42.22.134 3 195.110.84.82 2 195.199.185.1 2 199.0.194.131 2 204.87.98.143 1 206.135.39.149 2 211.106

Re: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-03 Thread Jim Race
Rob Schrack wrote: Oh yeah... just after Christmas, 6129 accounted for maybe 25% of the packets we submitted to dshield. In the past 5 days, they've accounted for nearly 1/2 of two million plus packets. I've been wonderin' if anyone else had been seeing it Yup. As an example of what I mean by

Re: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-03 Thread Rob Schrack
From: "Jim Race" <[EMAIL PROTECTED]> To: "LC" <[EMAIL PROTECTED]> Sent: Saturday, January 03, 2004 12:37 PM Subject: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP? > I noticed some action the previous 48 hours, and on checking logs this > m

Re: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-03 Thread Jeff Kell
Jim Race wrote: I noticed some action the previous 48 hours, and on checking logs this morning it seems that port 6129 (DameWare Remote Admin) was the common factor. ISC seems to have it on the top of their trends list: Yes, 6129 and 17300. Have also found live Nachi traffic (wasn't that thing

Re: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-04 Thread KF
heres the few I noticed... /var/log/messages.0:Dec 21 08:57:13 SRC=65.86.203.131 /var/log/messages.0:Dec 21 08:57:16 SRC=65.86.203.131 /var/log/messages.0:Dec 21 12:10:02 SRC=64.2.78.115 /var/log/messages.0:Dec 21 12:10:05 SRC=64.2.78.115 /var/log/messages.0:Dec 21 19:55:21 SRC=213.85.35.74 /var/l

Re: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?

2004-01-04 Thread Rob Schrack
1 211.222.114.1292176 217.235.90.109 2 166.104.200.11 12130 212.195.102.83 1 - Original Message - From: "KF" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 03, 2004 8:24 PM Subject: Re: [Full-Disclosure] Anyone else exoeriencing blasts