Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Trend Micro scanning on TCP 5168 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Trend Micro scanning on TCP 5168

We are seeing some heavy scanning activity on TCP 5168.  Probably for Trend Micro ServerProtect.  There was vulnerabilities announced for this product yesterday. and

It does indeed look like machines are getting owned with this vulnerability.  More info to come...


UPDATE: To expedite your patch finding needs, Trend Micro has made product patches available for download from:


OPEN CALL FOR Trend Micro management service "RELATED" PACKETS! 

I had just made a request for packets from one of our writers, and figured it a great opportunity to make it open season for packets.

If you *reading this* are witness to TCP port 5168 scanning activity, and feel you have a reasonably safe platform to perform additional data collection for us, we'd really appreciate it.

I am making blind assumptions that you have a linux host out there on publicly routable IP space of course:
1. We need some full packet capture for traffic inbound to your analysis host on TCP port 5168, and let it run...
2. Also, netcat listener enabled service port emulation to capture any possible initial payload beyond arbitrary scanning.
   For the netcat interaction, the GNU version of 'netcat' would be required ( as the 'nc' binary commonly distributed by default does not have the features preferred for capturing service data.  Also, I do recommend running the never ending loop from within a screen session, and you can kill the screen to dump the infinite loop.

# tcpdump -i eth0 -s0 -nn -w trend-of-evil.pcap tcp port 5168  &


$ screen -S trend
   # NOW YOU ARE IN SCREEN!  w00f-w00f!
$ while true
  netcat -x -o monitoring-the-trend-of-evil.hex.txt -vv -l -p 5168 >> monitoring-the-trend-of-evil.txt

  date +%Y%m%d-%H%M%S >> monitoring-the-trend-of-evil.txt


If you spot any unusual frequency of activity, *especially* if you have no particular idea of what might be in the *.hex.txt output file. Then ship us a copy, via our handy dandy file submission contact form at





112 Posts
Aug 23rd 2007

Sign Up for Free or Log In to start participating in the conversation!