Lets assume, somebody connected a box running nepenthes, tried to exploit the DameWare vulnerability with a known shellcode.
Socket TCP (bind) 0.0.0.0:0 -> 0.0.0.0:6129
DialogueFactory DameWare Dialogue Factory creates DWDialogues could Accept a Connection
Accepted Connection Socket TCP (accept) 81.164.174.142:1092 -> xxx.xxx.xxx.xxx:6129
Detected connectback shellcode konstanzConnect, 81.164.174.142:10000
Nepenthes would try to connect the attacker and offer a shell.
Connecting xxx.xxx.xxx.xxx -> 81.164.174.142:10000
and would receive commands to download someting, but fail.
Handler ftp download handler will download ftp://Leech:NFe@69.134.194.126:1337/nofileyet
A new exploit for Dameware Mini Remote Control showed up last days. Even though the exploit has some minor bugs (f.e. does not compile properly on unix and is not stringsafe ..) the first people took the challenge and started scanning for vulnerable machines.
The stats are taken from dshield.
