Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Scanning for Symantec Endpoint Manager InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scanning for Symantec Endpoint Manager

Published: 2014-02-17
Last Updated: 2014-02-17 18:06:51 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Last week, we mentioned a new vulnerability in Symantec Endpoint Protection Management [1]. According to Symantec's advisory, this product listens on port 9090 and 8443/TCP. Both ports are scanned regularly for various vulnerabilities, in particular 8443, being that it is frequently used by web servers as an alternative to 443. However, on February 7th, we detected a notable increase in scans for both ports. 

(click on image for larger version)

Interestingly, it looks like two different IP addresses caused this increase, scanning for one port only each. is the "heavy hitter" for port 8443, and for port 9090. There is no organizational connection between the two IPs based on Whois. is assigned to a University in China (the whois record contains a bit a weird looking "description": 华南理工大薛3够 ). is assigned to a british hosting company. 

My assumption is that both hosts were compromised at the time. 

Today, we are also seeing a large increase in scanning for port 9090, pointing to someone building a target list of vulnerable systems. Pretty much the only source scanning today is This address is interesting in that it is not assigned according to APNIC (the RIR in charge of this address), but it does respond to pings. It runs a phpmyadmin website as default host, which pretty much guarantees that it is a compromised system (could actually also be a honeypot).


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

2 comment(s)
Diary Archives