[get complete service list]
Port Information
Protocol Service Name
tcp dameware Dameware Remote Admin
Top IPs Scanning
Today Yesterday (30) (39) (7) (18) (6) (14) (4) (13) (4) (8) (4) (6) (3) (4) (3) (4) (2) (3) (2) (3)
Port diary mentions
Homeland Security Level Raised to Orange, increase in DameWare (port 6129) scans and exploit, Microsoft Retires Products (Including Windows 98), And Earthlink Users Being Targeted by Scam Using IE bug
IE URL Bug; Phishing Attacks; Port 6129 Remains High; Proper Incident Response
122303 CitiBankVisa Account Phishing, ISS IE URL Spoofing filter, Dameware scanning, Apple patch links
User Comments
Submitted By Date
Nick FitzGerald 2005-09-13 02:06:58
Spike 31 Aug thru early September 2005 probably due to remotely exploitable login username buffer overflow in DameWare Mini Remote Control Client Agent Service (dwrcs.exe): http://www.frsirt.com/english/advisories/2005/1596 Reported to affect 4.0 thru, but not including, 4.9.0. Various versions of this agent are often surreptitiously installed by malware as a backdoor, so random scanning may turn up more installations than might otherwise be expected.
ChrisA 2004-04-28 00:21:35
There is at least one known buffer overflow vulnerablity in versions prior to 3.73. This vulnerablity may permit an unauthenticated attacker from executing code on your system.
Jerry Davis 2004-01-03 07:35:13
I have also seen quite a few successful entries via this port from dameware mini r/c. It also seems to be connected to slim FTP that shows up at the same time of infection.
Andreas 2003-12-22 23:18:25
Probably related to http://www.securiteam.com/windowsntfocus/6N00B1P95I.html and/or http://www.k-otik.com/exploits/08.13.nfm-shatterdame.c.php. I've seen multiple successful intrusions via this service today.
Davis Ray Sickmon, Jr 2003-12-22 07:41:30
Normally associated with DameWare and DameWare mini-RC, a remote control agent.
CVE Links
CVE # Description