6101 and 6129 scans on the rise
Readers submitted queries this morning about scans against 6101/TCP and 6129/TCP. We?ve seen only SYN scans so far, there have not been any packets submitted.
The 6101/TCP is theorized to be scanning for the Veritas BackupExec Agent vulnerability discussed earlier (http://isc.sans.org/diary.php?date=2004-12-16) in December.
The 6129/TCP scan MIGHT be looking for instances of the remote administration port for Dameware. There are a few know weaknesses in the authorization code in older versions.
These are just guesses at this point. Without packets, there?s not much to go on. If you have packet captures send them in. If you have reports of the scans, please submit them via Dshield (http://www.dshield.org/howto.php).
Some days in the Handler?s Diary we include snippets of source code, or links to sites with in-depth analysis of examples of malicious code. These are likely to upset your Anti-Virus software. We try to be diligent and not link to a site that may compromise your system. When your Anti-Virus warns you, it?s just telling you that you?re walking a little closely to the ?dangerous? side of the Internet. Enjoy the rush.
A Reader Query
Joel, a reader, sent us an incident report of a ?PrintMe? (http://research.sunbelt-software.com/threat_display.cfm?name=Print%20Me) infection. He thinks they picked it up while using a Hotel?s network to allow them to print to the Hotel?s printers. He?s asking if anyone else has seen a similar use of the code, or has picked this bit of code while on the road.
A Goodie Basket for Grandma
While traveling around for my winter holidays (which were delayed due to ice storms and flooding?but that?s another story) to visit family and friends, I took a little CD with me?A Goodie Basket for Grandma, if you will. If you?re involved in computer security, I?m sure that your family has plenty of questions for you when they get their new computers. If so, I have some advice to make your life a bit easier. If not, they should be asking, and you may want to start doing this for them.
I downloaded SP2 for Windows XP Home edition. I downloaded the security patches released since SP2. I downloaded Spybot S&D and it?s latest signatures. I downloaded Clamwin. I downloaded tightVNC. Burn them all to a CD (or put them on your USB drive.) Then, while you?re visiting, you can clean-up their PC, patch it up, and leave VNC behind so you can provide remote assistance should they call you in the future (and you?re far away.)
In my experience, it was best to install Spybot S&D and Clamwin first, in order to make sure the system is clean. I found plenty of tracking cookies, and a few SDBot infections. Once the systems are clean, you can begin patching. ?Windows XP: Surviving the First Day? (http://www.sans.org/rr/whitepapers/windows/1298.php ) makes for a good read, too.
*the goal of the Goodie Basket was to provide freeware solutions for people on dial-up connections.
**Microsoft?s Anti-Spyware tool was released less that 24 hours before I built the Goodie Basket, it wasn?t properly tested, so it was not included.
***Don't run VNC in server mode, set it up in a "click here in an emergency" program group in Grandma's menu.
kliston AT isc.sans.org
Jan 11th 2005
1 decade ago