This is a heads-up that we have received a number of queries from readers about an increase in probes to port 12174.  The dshield data for port 12174 clearly corroborates a large increase.

Another reader indicates that they are seeing Symantec servers being attacked and compromised via port 12174.  Once compromised a whole bunch of nasty malware is downloaded to the machine.  He provides a tcpdump signature which has been effective for them in helping detect the resulting traffic.

'src port 7000 and dst port 445'

If anyone has first-hand observations into what is going on, please let us know via our contact link.

Update:

This appears to only affect Symantec servers which have not been updated as per the Symantec Security Advisory from April of this year.  The actual vulnerability is in LANDesk which runs on port 12174 and is used by the Symantec Alert Management System.

It appears Nessus plugin 38664 can be used to help identify vulnerable systems.

More information on fixing this vulnerability is available over at the Security Braindump Blog.

-- Rick Wanner - rwanner at isc dot sans dot org