I noticed some action the previous 48 hours, and on checking logs this
morning it seems that port 6129 (DameWare Remote Admin) was the common
factor. ISC seems to have it on the top of their trends list:
http://isc.sans.org/top10.html
h.
-jim
__
Yep, got some Happy New Years traffic, although I wouldn't call it "blasts":
Jan 1 03:44:04 TCP: port 6129 connection attempt from 66.141.180.72:1616
Jan 1 05:35:16 TCP: port 6129 connection attempt from 212.125.229.164:54031
Jan 1 08:47:24 TCP: port 6129 connection attempt from 130.232.56.173:
These are my results, since last sunday, 3:00 CUT:
the ip's originating the probe:
2 12.18.102.139
2 129.24.31.243
2 193.175.236.28
2 194.42.22.134
3 195.110.84.82
2 195.199.185.1
2 199.0.194.131
2 204.87.98.143
1 206.135.39.149
2 211.106
Rob Schrack wrote:
Oh yeah... just after Christmas, 6129 accounted for maybe 25% of the packets
we submitted to dshield. In the past 5 days, they've accounted for nearly
1/2 of two million plus packets.
I've been wonderin' if anyone else had been seeing it
Yup. As an example of what I mean by
From: "Jim Race" <[EMAIL PROTECTED]>
To: "LC" <[EMAIL PROTECTED]>
Sent: Saturday, January 03, 2004 12:37 PM
Subject: [Full-Disclosure] Anyone else exoeriencing blasts o' port 6129 TCP?
> I noticed some action the previous 48 hours, and on checking logs this
> m
Jim Race wrote:
I noticed some action the previous 48 hours, and on checking logs this
morning it seems that port 6129 (DameWare Remote Admin) was the common
factor. ISC seems to have it on the top of their trends list:
Yes, 6129 and 17300.
Have also found live Nachi traffic (wasn't that thing
heres the few I noticed...
/var/log/messages.0:Dec 21 08:57:13 SRC=65.86.203.131
/var/log/messages.0:Dec 21 08:57:16 SRC=65.86.203.131
/var/log/messages.0:Dec 21 12:10:02 SRC=64.2.78.115
/var/log/messages.0:Dec 21 12:10:05 SRC=64.2.78.115
/var/log/messages.0:Dec 21 19:55:21 SRC=213.85.35.74
/var/l
1
211.222.114.1292176
217.235.90.109 2
166.104.200.11 12130
212.195.102.83 1
- Original Message -
From: "KF" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 03, 2004 8:24 PM
Subject: Re: [Full-Disclosure] Anyone else exoeriencing blasts