This is a heads-up that we have received a number of queries from readers about an increase in probes to port 12174. The dshield data for port 12174 clearly corroborates a large increase. Another reader indicates that they are seeing Symantec servers being attacked and compromised via port 12174. Once compromised a whole bunch of nasty malware is downloaded to the machine. He provides a tcpdump signature which has been effective for them in helping detect the resulting traffic. 'src port 7000 and dst port 445' If anyone has first-hand observations into what is going on, please let us know via our contact link.
-- Rick Wanner - rwanner at isc dot sans dot org |
Rick 324 Posts ISC Handler Dec 29th 2009 |
Thread locked Subscribe |
Dec 29th 2009 1 decade ago |
OSVDB indicates that Symantec has a remote code execution vulnerability that has been public since April 28th. It wouldn't surprise me if someone has created a worm to exploit this. http://osvdb.org/54157
|
Anonymous |
Quote |
Dec 29th 2009 1 decade ago |
TCP 12174 is LANDesk related. It also happens that some Symantec products include this LANDesk component as an optional item. See http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23357
|
Anonymous |
Quote |
Dec 29th 2009 1 decade ago |
Also, I believe Nessus plugin 38664 may cover the vulnerability being exploited, but I do not have confirmation.
|
Anonymous |
Quote |
Dec 29th 2009 1 decade ago |
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp
|
Anonymous |
Quote |
Dec 30th 2009 1 decade ago |
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp
|
Anonymous |
Quote |
Dec 30th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!