Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Port 10000; ssh brute forcing; yet another bagle? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 10000; ssh brute forcing; yet another bagle?
Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit. This exploit is now available in various easy to use forms, including a Metasploit plug-in.

At this point, we are recommending:

(1) Block traffic to/from port 10000/tcp (note: this may be a bit tricky if you don\'t have a stateful firewall, as port 10000/tcp may be used by various clients as an ephemeral port)

(2) Verify that all your Veritas servers are patched.

(3) Scan your network for overlooked or already exploited Veritas servers.
One reader noted that after a system has been hit with the exploit, it will no longer listen on port 10000, as the service will die. However, it will still listen on port 6101.

Snort Signatures for the exploit as used by Metasploit (from Paul Dokas. Thanks!):


alert tcp $EXTERNAL_NET any -> $HOME_NET 10000
(msg: \"Possible BackupExec Exploit (inbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 10000
(msg: \"Possible BackupExec Exploit (outbound)\";
content: \"|00 00 03 00 00 02 00 58 58 58|\";
offset: 24; depth: 20; classtype: attempted-admin;)


Related URLs:

Veritas Announcement:

http://seer.support.veritas.com/docs/276604.htm

Metasploit:

http://www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm

ssh brute forcing



Nothing fundamentally new. Nathaniel Hall observed a shift of attack sources from Asia to the US. Doesn't look like the nature of the attacks changed. Each source attempted to log in using a few hundred different user names.

Yet another Bagle



Frederick Lambany sent a sample of what looks like a newer Bagle version. Most AV products will catch this one using generic bagle signatures. Given the large number of bagle variants, it is hard to figure out if this one is actually new.
According to Virustotal, McAfee and Symantec are not detecting this sample at this point (will resubmit shortly to see if they have new signatures for it now).

---------

Johannes Ullrich, Chief Research Officer, SANS Inst.

jullrich\'; drop table spamaddr;'@sans.orgI will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3695 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!