Elevated Levels of TCP 6129 Traffic

On January 2, the campus recorded very high levels of TCP 6129 traffic at the campus border and within the campus network. This traffic appears related to a recently released exploit against Dameware remote management software (distributed for Windows). At this time filters have been implemented to block inbound and outbound network traffic over TCP 6129.

If you use DameWare Development Mini Remote Control Server it is recommended that you use the current 3.73.0.0 version. Earlier versions could permit an attacker to run unauthorized code on a vulnerable computer. Further information about the recently identified DameWare buffer overflow vulnerability can be found at: http://www.securityfocus.com/bid/9213/info/).

In addition, DameWare software versions prior to 3.71.0.0 were identified as vulnerable to an exploit that could provide system privileges to a successful attacker (see: http://www.securityfocus.com/bid/8395/discussion/). We will publish additional information about the hostile programs that are targeting DameWare programs as it becomes available. We are currently identifying and isolating campus computers that are generating unusually high levels of TCP 6129 traffic.