On January 11, 2004 06:25 am, Mike Vanecek wrote: > Has a new worm popped up using port 6129? I am starting to see a lot of > UNPRIVPORTS to UNPRIVPORTS rejects in my log: > > Jan 10 02:28:37 www kernel: unprivil IN=eth0 OUT= > MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=209.74.22.108 > DST=192.168.1.95 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=33358 DF PROTO=TCP > SPT=20954 DPT=6129 WINDOW=65535 RES=0x00 SYN URGP=0 > > Jan 10 08:16:45 www kernel: unprivil IN=eth0 OUT= > MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=193.77.158.81 > DST=192.168.1.95 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=4089 DF PROTO=TCP > SPT=2595 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0 > > [$]egrep '192.168.1.95.*6129' /var/log/linksys.log | wc -l > 93 Hi Mike, Not to worry if your pure Linux. Port 6129 is used by DameWare, a Windows remote control suite much like PC Anywhere. There is a recently discovered (around mid Dec I think) buffer overflow that gives some level of access. We had several Windows machines compromised (just the win boxes of course) and they were running ftp warez servers from our site. (several times last week I was asked wipe the smirk off my face :-) -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
