Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Scanning for Symantec Endpoint Manager SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scanning for Symantec Endpoint Manager

Last week, we mentioned a new vulnerability in Symantec Endpoint Protection Management [1]. According to Symantec's advisory, this product listens on port 9090 and 8443/TCP. Both ports are scanned regularly for various vulnerabilities, in particular 8443, being that it is frequently used by web servers as an alternative to 443. However, on February 7th, we detected a notable increase in scans for both ports. 

(click on image for larger version)

Interestingly, it looks like two different IP addresses caused this increase, scanning for one port only each. is the "heavy hitter" for port 8443, and for port 9090. There is no organizational connection between the two IPs based on Whois. is assigned to a University in China (the whois record contains a bit a weird looking "description": 华南理工大薛3够 ). is assigned to a british hosting company. 

My assumption is that both hosts were compromised at the time. 

Today, we are also seeing a large increase in scanning for port 9090, pointing to someone building a target list of vulnerable systems. Pretty much the only source scanning today is This address is interesting in that it is not assigned according to APNIC (the RIR in charge of this address), but it does respond to pings. It runs a phpmyadmin website as default host, which pretty much guarantees that it is a compromised system (could actually also be a honeypot).


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


4281 Posts
ISC Handler
Feb 17th 2014
Hi Johannes,

Drop the leading 0's from and it's Hong Kong :)

3 Posts
The description is in HZ character encoding ( It decodes to something that won't be accepted by the message box. :)
3 Posts

Sign Up for Free or Log In to start participating in the conversation!