What's up with port 12174? Possible Symantec server compromise?

Published: 2009-12-29. Last Updated: 2009-12-30 14:58:37 UTC
by Rick Wanner (Version: 3)
5 comment(s)

This is a heads-up that we have received a number of queries from readers about an increase in probes to port 12174.  The dshield data for port 12174 clearly corroborates a large increase.

Another reader indicates that they are seeing Symantec servers being attacked and compromised via port 12174.  Once compromised a whole bunch of nasty malware is downloaded to the machine.  He provides a tcpdump signature which has been effective for them in helping detect the resulting traffic.

'src port 7000 and dst port 445'

If anyone has first-hand observations into what is going on, please let us know via our contact link.

Update:

This appears to only affect Symantec servers which have not been updated as per the Symantec Security Advisory from April of this year.  The actual vulnerability is in LANDesk which runs on port 12174 and is used by the Symantec Alert Management System.

It appears Nessus plugin 38664 can be used to help identify vulnerable systems.

More information on fixing this vulnerability is available over at the Security Braindump Blog.

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: 12174 symantec
5 comment(s)

Microsoft responds to possible IIS 6 0-day

Published: 2009-12-29. Last Updated: 2009-12-29 20:17:29 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Following up to recent diaries 7816 and 7810 and numerous other sources regarding a possible IIS 0-day.  Microsoft has responded indicating that there is no problem with IIS 6, but rather this is a configuration issue which should not be present in an out of the box IIS 6 server or any server properly configured to Microsoft standards.

 

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: IIS Microsoft
0 comment(s)

Comments


Diary Archives