Increase in TCP 5554 activity; Fragmented IP traffic towards port 16191; Please patch your Symantec/Norton firewall products

Published: 2004-05-14
Last Updated: 2004-05-15 00:02:46 UTC
by Handlers (Version: 1)
0 comment(s)
Increase in TCP 5554 activity

Looks like there is an increase in TCP 5554 activity. This is due to
public exploits against the FTP daemon installed by the Sasser worm and
may be related to the "Dabber" worm covered in yesterday's diary entry.
Basically, this is malware attacking malware. If you aren't infected
with the Sasser worm, then you won't be infected with this.

In addition to the "Dabber" automated worm, we have reports that the
exploit is being manually executed against vulnerable hosts, which is
somewhat rare in these days of automated exploits and bot networks.

Fragmented IP traffic towards port 16191

We have received a report of fragmented IP traffic with source and
destination ports both set to 16191. At this point, we don't have
many details but would like to see if anybody else is seeing similar

Please patch your Symantec/Norton firewall products

As discussed in the diaries for the last two days, there are several
vulnerabilities in Symantec/Norton firewall products. Exploit code is
currently being developed. If you run these products (even behind
other firewalls), you are highly urged to apply the vendor patches.
You may recall the worm "Witty" attacked a similar flaw in ISS products
that caused major problems for people running those products.

Download the patches here:

Remember the Witty worm:
0 comment(s)


Diary Archives