Port 10000; ssh brute forcing; yet another bagle?
Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit. This exploit is now available in various easy to use forms, including a Metasploit plug-in.
At this point, we are recommending:
(1) Block traffic to/from port 10000/tcp (note: this may be a bit tricky if you don\'t have a stateful firewall, as port 10000/tcp may be used by various clients as an ephemeral port)
(2) Verify that all your Veritas servers are patched.
(3) Scan your network for overlooked or already exploited Veritas servers.
One reader noted that after a system has been hit with the exploit, it will no longer listen on port 10000, as the service will die. However, it will still listen on port 6101.
Snort Signatures for the exploit as used by Metasploit (from Paul Dokas. Thanks!):
Related URLs:
Veritas Announcement:
http://seer.support.veritas.com/docs/276604.htm
Metasploit:
http://www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm
Nothing fundamentally new. Nathaniel Hall observed a shift of attack sources from Asia to the US. Doesn't look like the nature of the attacks changed. Each source attempted to log in using a few hundred different user names.
Frederick Lambany sent a sample of what looks like a newer Bagle version. Most AV products will catch this one using generic bagle signatures. Given the large number of bagle variants, it is hard to figure out if this one is actually new.
According to Virustotal, McAfee and Symantec are not detecting this sample at this point (will resubmit shortly to see if they have new signatures for it now).
---------
Johannes Ullrich, Chief Research Officer, SANS Inst.
jullrich\'; drop table spamaddr;'@sans.org
At this point, we are recommending:
(1) Block traffic to/from port 10000/tcp (note: this may be a bit tricky if you don\'t have a stateful firewall, as port 10000/tcp may be used by various clients as an ephemeral port)
(2) Verify that all your Veritas servers are patched.
(3) Scan your network for overlooked or already exploited Veritas servers.
One reader noted that after a system has been hit with the exploit, it will no longer listen on port 10000, as the service will die. However, it will still listen on port 6101.
Snort Signatures for the exploit as used by Metasploit (from Paul Dokas. Thanks!):
alert tcp $EXTERNAL_NET any -> $HOME_NET 10000
(msg: \"Possible BackupExec Exploit (inbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 10000
(msg: \"Possible BackupExec Exploit (outbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)
Related URLs:
Veritas Announcement:
http://seer.support.veritas.com/docs/276604.htm
Metasploit:
http://www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm
ssh brute forcing
Nothing fundamentally new. Nathaniel Hall observed a shift of attack sources from Asia to the US. Doesn't look like the nature of the attacks changed. Each source attempted to log in using a few hundred different user names.
Yet another Bagle
Frederick Lambany sent a sample of what looks like a newer Bagle version. Most AV products will catch this one using generic bagle signatures. Given the large number of bagle variants, it is hard to figure out if this one is actually new.
According to Virustotal, McAfee and Symantec are not detecting this sample at this point (will resubmit shortly to see if they have new signatures for it now).
---------
Johannes Ullrich, Chief Research Officer, SANS Inst.
jullrich\'; drop table spamaddr;'@sans.org
Keywords:
0 comment(s)
My next class:
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
×
![modal content]()
Diary Archives
Comments