We are seeing some heavy scanning activity on TCP 5168. Probably for Trend Micro ServerProtect. There was vulnerabilities announced for this product yesterday. http://secunia.com/advisories/26523/ and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=588
It does indeed look like machines are getting owned with this vulnerability. More info to come...
UPDATE: To expedite your patch finding needs, Trend Micro has made product patches available for download from:
OPEN CALL FOR Trend Micro management service "RELATED" PACKETS!
I had just made a request for packets from one of our writers, and figured it a great opportunity to make it open season for packets.
If you *reading this* are witness to TCP port 5168 scanning activity, and feel you have a reasonably safe platform to perform additional data collection for us, we'd really appreciate it.
date +%Y%m%d-%H%M%S >> monitoring-the-trend-of-evil.txt
If you spot any unusual frequency of activity, *especially* if you have no particular idea of what might be in the *.hex.txt output file. Then ship us a copy, via our handy dandy file submission contact form at http://isc.sans.org/contact.html
Aug 23rd 2007
1 decade ago