What's up with port 12174? Possible Symantec server compromise?

Published: 2009-12-29
Last Updated: 2009-12-30 14:58:37 UTC
by Rick Wanner (Version: 3)
5 comment(s)

This is a heads-up that we have received a number of queries from readers about an increase in probes to port 12174.  The dshield data for port 12174 clearly corroborates a large increase.

Another reader indicates that they are seeing Symantec servers being attacked and compromised via port 12174.  Once compromised a whole bunch of nasty malware is downloaded to the machine.  He provides a tcpdump signature which has been effective for them in helping detect the resulting traffic.

'src port 7000 and dst port 445'

If anyone has first-hand observations into what is going on, please let us know via our contact link.

Update:

This appears to only affect Symantec servers which have not been updated as per the Symantec Security Advisory from April of this year.  The actual vulnerability is in LANDesk which runs on port 12174 and is used by the Symantec Alert Management System.

It appears Nessus plugin 38664 can be used to help identify vulnerable systems.

More information on fixing this vulnerability is available over at the Security Braindump Blog.

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: 12174 symantec
5 comment(s)

Microsoft responds to possible IIS 6 0-day

Published: 2009-12-29
Last Updated: 2009-12-29 20:17:29 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Following up to recent diaries 7816 and 7810 and numerous other sources regarding a possible IIS 0-day.  Microsoft has responded indicating that there is no problem with IIS 6, but rather this is a configuration issue which should not be present in an out of the box IIS 6 server or any server properly configured to Microsoft standards.

 

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: IIS Microsoft
0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives