Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Trend Micro ServerProtect Update

Published: 2007-08-23
Last Updated: 2007-08-25 14:00:24 UTC
by Kyle Haugsness (Version: 4)
0 comment(s)

Indications are that the ServerProtect exploit is against an older vulnerability from earlier this year, February 2007.  This vulnerability was patched previously.  The vulnerability appears to be "vulnerabilty one" in this advisory:  http://dvlabs.tippingpoint.com/advisory/TPTI-07-02

But this does indeed appear to be a new exploit, thus machines are being actively compromised if they haven't been patched.

 

Update:

The activity at this stage is still ongoing.  If you are using ServerProtect and you can't think of a reason why it needs to be exposed to the internet, then make sure you block  The following:

  • ServerProtect service Port 5168/TCP
  • ServerProtect Agent service Port 3628/TCP

If you have a packet capture upload it via the contact form.

Update 25/8

Trend has provided a signature for this issue.  If you are running regular updates, then the relevant pattern file should already be applied (4.668.09 onwards).  You might want to run a scan on the machine though to be on the safe side.  Also don't forget to apply the patch.

Keywords:
0 comment(s)
Diary Archives