Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Ramp up on Port 5168 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ramp up on Port 5168
We received an email today from one of our readers, Kent, indicating that they had an intrusion. Investigation indicates that they have a ServU FTP serving masquerading as javavm.exe. The program is listening on port 1999. It also is trying to connect to port 3389 (Windows Terminal Server Service).

Kent says: “The machine is off the net now, but the attacker keeps trying to connect to it, e.g. on port 1999 and port 3389. He also tries to connect to port 5168 on another machine (harmless, it turns out).”

Kent says that they are running Trend Micro Anti Virus. A quick look at DShield for current port activity reports confirms that there is something going on with port 5168.  The sources and targets have escalated rapidly in the last 3 days.

http://www.dshield.org/port.html?port=5168

At this point nothing definitive but I suspect that it has something to do with:

Trend Micro ServerProtect EarthAgent Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-025.html

Trend Micro ServerProtect AgRpcCln.dll Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-024.html

Trend Micro has issued these advisories for ServerProtect v5.58. It appears that there are some vulnerable installations of Trend Micro ServerProtect out there that may be getting snagged.

We have had other reports of some snooping for the open port 5168 devices on the net. If anyone is seeing an increase in activity on either port 5168 or 3628, and you can capture some packets for us, we would appreciate it. Also, if anyone else has had this intrusion and you can identify the executable involved, we would like copies of the exe files as well. Please zip and password protect the exe files if possible. All of these can be uploaded to our malware site at:

http://isc.sans.org/contact.html

We will keep you updated on what we find out.
Deborah

278 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!