Last Updated: 2007-08-23 07:02:50 UTC
by Kyle Haugsness (Version: 2)
We are seeing some heavy scanning activity on TCP 5168. Probably for Trend Micro ServerProtect. There was vulnerabilities announced for this product yesterday. http://secunia.com/advisories/26523/ and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=588
It does indeed look like machines are getting owned with this vulnerability. More info to come...
UPDATE: To expedite your patch finding needs, Trend Micro has made product patches available for download from:
OPEN CALL FOR Trend Micro management service "RELATED" PACKETS!
I had just made a request for packets from one of our writers, and figured it a great opportunity to make it open season for packets.
If you *reading this* are witness to TCP port 5168 scanning activity, and feel you have a reasonably safe platform to perform additional data collection for us, we'd really appreciate it.
I am making blind assumptions that you have a linux host out there on publicly routable IP space of course:
1. We need some full packet capture for traffic inbound to your analysis host on TCP port 5168, and let it run...
2. Also, netcat listener enabled service port emulation to capture any possible initial payload beyond arbitrary scanning.
For the netcat interaction, the GNU version of 'netcat' would be required ( http://netcat.sf.net) as the 'nc' binary commonly distributed by default does not have the features preferred for capturing service data. Also, I do recommend running the never ending loop from within a screen session, and you can kill the screen to dump the infinite loop.
# tcpdump -i eth0 -s0 -nn -w trend-of-evil.pcap tcp port 5168 &
$ screen -S trend
# NOW YOU ARE IN SCREEN! w00f-w00f!
$ while true
netcat -x -o monitoring-the-trend-of-evil.hex.txt -vv -l -p 5168 >> monitoring-the-trend-of-evil.txt
date +%Y%m%d-%H%M%S >> monitoring-the-trend-of-evil.txt
If you spot any unusual frequency of activity, *especially* if you have no particular idea of what might be in the *.hex.txt output file. Then ship us a copy, via our handy dandy file submission contact form at http://isc.sans.org/contact.html
Last Updated: 2007-08-22 18:55:41 UTC
by Kyle Haugsness (Version: 1)
We received several messages yesterday about the monster.com incident and personal information on 1.6 million users of monster.com stolen. We actually reported on this two days ago here: http://isc.sans.org/diary.html?storyid=3295. At the time, SecureWorks had discovered a cache of only 46,000 users. Funny how the number of users affected (large in either case) forced the press coverage to become way bigger.
The incident reminds me of the LexisNexis compromise where a police officer's computer was compromised and his LexisNexis account was used to lookup personal information on 310,000 people. Wired has a good article on the entire story from May 2005: http://www.wired.com/techbiz/media/news/2005/05/67629?currentPage=all