Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What's up with port 12174? Possible Symantec server compromise? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's up with port 12174? Possible Symantec server compromise?

This is a heads-up that we have received a number of queries from readers about an increase in probes to port 12174.  The dshield data for port 12174 clearly corroborates a large increase.

Another reader indicates that they are seeing Symantec servers being attacked and compromised via port 12174.  Once compromised a whole bunch of nasty malware is downloaded to the machine.  He provides a tcpdump signature which has been effective for them in helping detect the resulting traffic.

'src port 7000 and dst port 445'

If anyone has first-hand observations into what is going on, please let us know via our contact link.

 

-- Rick Wanner - rwanner at isc dot sans dot org

Rick

290 Posts
ISC Handler
OSVDB indicates that Symantec has a remote code execution vulnerability that has been public since April 28th. It wouldn't surprise me if someone has created a worm to exploit this. http://osvdb.org/54157
Anonymous
TCP 12174 is LANDesk related. It also happens that some Symantec products include this LANDesk component as an optional item. See http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23357
Anonymous
Also, I believe Nessus plugin 38664 may cover the vulnerability being exploited, but I do not have confirmation.
Anonymous
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp
Anonymous
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp
Anonymous

Sign Up for Free or Log In to start participating in the conversation!