Last Updated: 2007-08-23 07:02:50 UTC
by Kyle Haugsness (Version: 2)
We are seeing some heavy scanning activity on TCP 5168. Probably for Trend Micro ServerProtect. There was vulnerabilities announced for this product yesterday. http://secunia.com/advisories/26523/ and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=588
It does indeed look like machines are getting owned with this vulnerability. More info to come...
UPDATE: To expedite your patch finding needs, Trend Micro has made product patches available for download from:
OPEN CALL FOR Trend Micro management service "RELATED" PACKETS!
I had just made a request for packets from one of our writers, and figured it a great opportunity to make it open season for packets.
If you *reading this* are witness to TCP port 5168 scanning activity, and feel you have a reasonably safe platform to perform additional data collection for us, we'd really appreciate it.
I am making blind assumptions that you have a linux host out there on publicly routable IP space of course:
1. We need some full packet capture for traffic inbound to your analysis host on TCP port 5168, and let it run...
2. Also, netcat listener enabled service port emulation to capture any possible initial payload beyond arbitrary scanning.
For the netcat interaction, the GNU version of 'netcat' would be required ( http://netcat.sf.net) as the 'nc' binary commonly distributed by default does not have the features preferred for capturing service data. Also, I do recommend running the never ending loop from within a screen session, and you can kill the screen to dump the infinite loop.
# tcpdump -i eth0 -s0 -nn -w trend-of-evil.pcap tcp port 5168 &
$ screen -S trend
# NOW YOU ARE IN SCREEN! w00f-w00f!
$ while true
netcat -x -o monitoring-the-trend-of-evil.hex.txt -vv -l -p 5168 >> monitoring-the-trend-of-evil.txt
date +%Y%m%d-%H%M%S >> monitoring-the-trend-of-evil.txt
If you spot any unusual frequency of activity, *especially* if you have no particular idea of what might be in the *.hex.txt output file. Then ship us a copy, via our handy dandy file submission contact form at http://isc.sans.org/contact.html