Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit. This exploit is now available in various easy to use forms, including a Metasploit plug-in.
At this point, we are recommending:
(1) Block traffic to/from port 10000/tcp (note: this may be a bit tricky if you don\'t have a stateful firewall, as port 10000/tcp may be used by various clients as an ephemeral port)
(2) Verify that all your Veritas servers are patched.
(3) Scan your network for overlooked or already exploited Veritas servers.
One reader noted that after a system has been hit with the exploit, it will no longer listen on port 10000, as the service will die. However, it will still listen on port 6101.
Snort Signatures for the exploit as used by Metasploit (from Paul Dokas. Thanks!):
ssh brute forcing
Nothing fundamentally new. Nathaniel Hall observed a shift of attack sources from Asia to the US. Doesn't look like the nature of the attacks changed. Each source attempted to log in using a few hundred different user names.
Yet another Bagle
Frederick Lambany sent a sample of what looks like a newer Bagle version. Most AV products will catch this one using generic bagle signatures. Given the large number of bagle variants, it is hard to figure out if this one is actually new.
According to Virustotal, McAfee and Symantec are not detecting this sample at this point (will resubmit shortly to see if they have new signatures for it now).
Johannes Ullrich, Chief Research Officer, SANS Inst.
jullrich\'; drop table spamaddr;'@sans.orgI will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019
Jun 27th 2005
1 decade ago