Trend Micro ServerProtect Update
Indications are that the ServerProtect exploit is against an older vulnerability from earlier this year, February 2007. This vulnerability was patched previously. The vulnerability appears to be "vulnerabilty one" in this advisory: http://dvlabs.tippingpoint.com/advisory/TPTI-07-02
But this does indeed appear to be a new exploit, thus machines are being actively compromised if they haven't been patched.
Update:
The activity at this stage is still ongoing. If you are using ServerProtect and you can't think of a reason why it needs to be exposed to the internet, then make sure you block The following:
- ServerProtect service Port 5168/TCP
- ServerProtect Agent service Port 3628/TCP
If you have a packet capture upload it via the contact form.
Update 25/8
Trend has provided a signature for this issue. If you are running regular updates, then the relevant pattern file should already be applied (4.668.09 onwards). You might want to run a scan on the machine though to be on the safe side. Also don't forget to apply the patch.
Trend Micro management exploit payload perhaps?
No sooner than I post a call for packets but I catch an event that surely looks suspect. I'm unable to confirm the destination target was in fact running a Trend management service or if the result of the following attempt. Let's see what our shellcode analysts can determine before we post complete packet payload.
Comments