Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Ramp up on Port 5168 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ramp up on Port 5168
We received an email today from one of our readers, Kent, indicating that they had an intrusion. Investigation indicates that they have a ServU FTP serving masquerading as javavm.exe. The program is listening on port 1999. It also is trying to connect to port 3389 (Windows Terminal Server Service).

Kent says: “The machine is off the net now, but the attacker keeps trying to connect to it, e.g. on port 1999 and port 3389. He also tries to connect to port 5168 on another machine (harmless, it turns out).”

Kent says that they are running Trend Micro Anti Virus. A quick look at DShield for current port activity reports confirms that there is something going on with port 5168.  The sources and targets have escalated rapidly in the last 3 days.

At this point nothing definitive but I suspect that it has something to do with:

Trend Micro ServerProtect EarthAgent Stack Overflow Vulnerability

Trend Micro ServerProtect AgRpcCln.dll Stack Overflow Vulnerability

Trend Micro has issued these advisories for ServerProtect v5.58. It appears that there are some vulnerable installations of Trend Micro ServerProtect out there that may be getting snagged.

We have had other reports of some snooping for the open port 5168 devices on the net. If anyone is seeing an increase in activity on either port 5168 or 3628, and you can capture some packets for us, we would appreciate it. Also, if anyone else has had this intrusion and you can identify the executable involved, we would like copies of the exe files as well. Please zip and password protect the exe files if possible. All of these can be uploaded to our malware site at:

We will keep you updated on what we find out.

279 Posts
ISC Handler
May 9th 2007

Sign Up for Free or Log In to start participating in the conversation!