Attackers probing for vulnerable Windows servers

Scanning spike related to buggy ServerProtect antivirus from Trend Micro

Attackers are probing for Windows servers running Trend Micro's ServerProtect antivirus software, researchers warned.

Early today, Symantec's DeepSight threat network monitored a major spike in traffic over TCP port 5168, which is related to the remote procedure call service in ServerProtect. "This may indicate an ongoing mass-scanning and exploitation attempt trying to exploit vulnerable systems for the newly disclosed vulnerabilities," said Symantec analyst Pukhraj Singh in an alert issued to corporate customers.

Symantec also said its honeypots -- "planted" systems that draw attackers by virtue of their unpatched status -- had recorded at least one successful compromise of ServerProtect. "We are in the process of verifying whether or not that attack is in fact leveraging one of the recently reported issues, and not an older one," Singh said.

At its peak, the port scan spike observed by Symantec involved 1,000 devices or systems around the world and originated from more than 300 different IP addresses. Within hours, however, the probing had tapered off somewhat.

Yesterday, the SANS Institute's Internet Storm Center (ISC) also said it had spotted "heavy scanning activity" on TCP 5168, and theorized that the probes were related to ServerProtect. This morning, ISC received samples of suspicious data packets that might be attack code, and farmed it out to analysts for review.

Trend Micro actually updated ServerProtect almost a month ago, but the vulnerabilities only came to light on Monday when VeriSign iDefense published details about them. IDefense had reported the bugs to Trend Micro in mid-June; at least one of the vulnerabilities was partly revealed by researchers who were paid a bounty for their bug-hunting by iDefense's cash-for-vulnerabilities program.

Trend Micro issued a warning of its own yesterday based on the ISC scanning alert to virtually beg ServerProtect users to patch ASAP. "We implore security administrators to apply the latest ServerProtect security patch available from Trend Micro as soon as possible to protect against any potential attack," read the warning.

It's been a rough, and embarrassing, month for security vendors, several of which have had to push out patches to plug holes in their own code. Trend Micro's antispyware scanning engine required a fix this week, as did Check Point's ZoneAlarm line of security products and the open-source Clam AntiVirus.

Interestingly, iDefense first notified Zone Alarm of some of the recently patched bugs almost two years ago, in September 2005.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?