Worm attacks Trend Micro ServerProtect
Numerous sensors are currently registering activities that indicate an ongoing attack against Trend Micro ServerProtect. For example, SANS Internet Storm Center is reporting an increase in scanning activity on TCP port 5168, on which the management service listens. The Nepenthes team's honeypots have uncovered an exploit that connects back to a server on port 10000 to receive shell commands tthat download and execute an IRC bot.
More detailed analyses are still being conducted, but the initial fears that the worm was targeting vulnerabilities in Trend Micro products that were announced a few days ago appear to be unfounded. Instead, Internet Storm Center has announced that indications are that the ServerProtect exploit targets an older vulnerability for which Trend issued patches back in February. Administrators should strictly limit access ServerProtect service Port 5168/TCP, the ServerProtect Agent service Port 3268/TCP and install the available patches as soon as possible.
- Trend Micro scanning on TCP 5168, Internet Storm Center
- Trend Micro ServerProtect Update, Internet Storm Center
- Buffer Overflow in Trend Micros ServerProtect, heise Security report on February 21, 2007
- Multiple security vulnerabilities in Trend Micro products, heise Security report on August 22, 2007