On Sun, 11 Jan 2004 07:22:58 -0800, Pete Nesbitt wrote > On January 11, 2004 06:25 am, Mike Vanecek wrote: > > Has a new worm popped up using port 6129? I am starting to see a lot of > > UNPRIVPORTS to UNPRIVPORTS rejects in my log: > > > > Jan 10 02:28:37 www kernel: unprivil IN=eth0 OUT= > > MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=209.74.22.108 > > DST=192.168.1.95 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=33358 DF PROTO=TCP > > SPT=20954 DPT=6129 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > Jan 10 08:16:45 www kernel: unprivil IN=eth0 OUT= > > MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=193.77.158.81 > > DST=192.168.1.95 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=4089 DF PROTO=TCP > > SPT=2595 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0 > > > > [$]egrep '192.168.1.95.*6129' /var/log/linksys.log | wc -l > > 93 > > Hi Mike, > Not to worry if your pure Linux. > Port 6129 is used by DameWare, a Windows remote control suite much > like PC Anywhere. There is a recently discovered (around mid Dec I > think) buffer overflow that gives some level of access. We had > several Windows machines compromised (just the win boxes of course) > and they were running ftp warez servers from our site. > (several times last week I was asked wipe the smirk off my face :-) Thanks for the info. I will stop logging and just drop the 6129 packets. Maybe it should have been called LameWare ;) -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
