Last Updated: 2014-02-17 18:06:51 UTC
by Johannes Ullrich (Version: 1)
Last week, we mentioned a new vulnerability in Symantec Endpoint Protection Management . According to Symantec's advisory, this product listens on port 9090 and 8443/TCP. Both ports are scanned regularly for various vulnerabilities, in particular 8443, being that it is frequently used by web servers as an alternative to 443. However, on February 7th, we detected a notable increase in scans for both ports.
(click on image for larger version)
Interestingly, it looks like two different IP addresses caused this increase, scanning for one port only each.
220.127.116.11 is the "heavy hitter" for port 8443, and 18.104.22.168 for port 9090. There is no organizational connection between the two IPs based on Whois.
My assumption is that both hosts were compromised at the time.
Today, we are also seeing a large increase in scanning for port 9090, pointing to someone building a target list of vulnerable systems. Pretty much the only source scanning today is 113.010.155.079. This address is interesting in that it is not assigned according to APNIC (the RIR in charge of this address), but it does respond to pings. It runs a phpmyadmin website as default host, which pretty much guarantees that it is a compromised system (could actually also be a honeypot).