Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
6101 and 6129 scans on the rise; “infected links”; A reader Query; A Goodie Basket for Grandma
6101 and 6129 scans on the rise

Readers submitted queries this morning about scans against 6101/TCP and 6129/TCP. We?ve seen only SYN scans so far, there have not been any packets submitted.

The 6101/TCP is theorized to be scanning for the Veritas BackupExec Agent vulnerability discussed earlier ( in December.

The 6129/TCP scan MIGHT be looking for instances of the remote administration port for Dameware. There are a few know weaknesses in the authorization code in older versions.

These are just guesses at this point. Without packets, there?s not much to go on. If you have packet captures send them in. If you have reports of the scans, please submit them via Dshield (

?Infected Links?

Some days in the Handler?s Diary we include snippets of source code, or links to sites with in-depth analysis of examples of malicious code. These are likely to upset your Anti-Virus software. We try to be diligent and not link to a site that may compromise your system. When your Anti-Virus warns you, it?s just telling you that you?re walking a little closely to the ?dangerous? side of the Internet. Enjoy the rush.

A Reader Query

Joel, a reader, sent us an incident report of a ?PrintMe? ( infection. He thinks they picked it up while using a Hotel?s network to allow them to print to the Hotel?s printers. He?s asking if anyone else has seen a similar use of the code, or has picked this bit of code while on the road.

A Goodie Basket for Grandma

While traveling around for my winter holidays (which were delayed due to ice storms and flooding?but that?s another story) to visit family and friends, I took a little CD with me?A Goodie Basket for Grandma, if you will. If you?re involved in computer security, I?m sure that your family has plenty of questions for you when they get their new computers. If so, I have some advice to make your life a bit easier. If not, they should be asking, and you may want to start doing this for them.

I downloaded SP2 for Windows XP Home edition. I downloaded the security patches released since SP2. I downloaded Spybot S&D and it?s latest signatures. I downloaded Clamwin. I downloaded tightVNC. Burn them all to a CD (or put them on your USB drive.) Then, while you?re visiting, you can clean-up their PC, patch it up, and leave VNC behind so you can provide remote assistance should they call you in the future (and you?re far away.)

In my experience, it was best to install Spybot S&D and Clamwin first, in order to make sure the system is clean. I found plenty of tracking cookies, and a few SDBot infections. Once the systems are clean, you can begin patching. ?Windows XP: Surviving the First Day? ( ) makes for a good read, too.

*the goal of the Goodie Basket was to provide freeware solutions for people on dial-up connections.

**Microsoft?s Anti-Spyware tool was released less that 24 hours before I built the Goodie Basket, it wasn?t properly tested, so it was not included.

***Don't run VNC in server mode, set it up in a "click here in an emergency" program group in Grandma's menu.


kliston AT
Kevin Liston

292 Posts
ISC Handler
Jan 11th 2005

Sign Up for Free or Log In to start participating in the conversation!