What's up with port 12174? Possible Symantec server compromise?

Published: 2009-12-29. Last Updated: 2009-12-30 14:58:37 UTC
by Rick Wanner (Version: 3)
5 comment(s)

This is a heads-up that we have received a number of queries from readers about an increase in probes to port 12174.  The dshield data for port 12174 clearly corroborates a large increase.

Another reader indicates that they are seeing Symantec servers being attacked and compromised via port 12174.  Once compromised a whole bunch of nasty malware is downloaded to the machine.  He provides a tcpdump signature which has been effective for them in helping detect the resulting traffic.

'src port 7000 and dst port 445'

If anyone has first-hand observations into what is going on, please let us know via our contact link.

Update:

This appears to only affect Symantec servers which have not been updated as per the Symantec Security Advisory from April of this year.  The actual vulnerability is in LANDesk which runs on port 12174 and is used by the Symantec Alert Management System.

It appears Nessus plugin 38664 can be used to help identify vulnerable systems.

More information on fixing this vulnerability is available over at the Security Braindump Blog.

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: 12174 symantec
5 comment(s)

Comments

OSVDB indicates that Symantec has a remote code execution vulnerability that has been public since April 28th. It wouldn't surprise me if someone has created a worm to exploit this. http://osvdb.org/54157
TCP 12174 is LANDesk related. It also happens that some Symantec products include this LANDesk component as an optional item. See http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23357
Also, I believe Nessus plugin 38664 may cover the vulnerability being exploited, but I do not have confirmation.
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp

Diary Archives