Hackers have set their sights on security vendor Trend Micros ServerProtect.
Several security researchers have noted a massive increase of activity over TCP port 5168 connected with ServerProtect, an anti-virus software product for servers that had a number of vulnerabilities publicly disclosed earlier the week of Aug. 20. All of the vulnerabilities, which could lead to remote code execution, have been patched and the security fixes are available to customers.
“Various people are abuzz trying to figure out what malware is behind this,” Jose Nazario, senior security researcher at Arbor Networks, in Lexington, Mass., wrote on a company blog. “At present it seems to be a botnet causing all of the havoc.”
Officials at Symantec, in Cupertino, Calif., said in an alert Aug. 23 that they have observed active exploitation of a Trend Micro ServerProtect vulnerability affecting the ServerProtect service on a DeepSight honey pot and are checking to see what vulnerability had been targeted.
The company advised administrators to block TCP port 5168 at the network boundary or deploy strict IP-based access control lists to hamper hacking attempts.
Meanwhile, the SANS Institutes ISC (Internet Storm Center), based in Bethesda, Md., reported that the ServerProtect exploit is against an older, patched vulnerability from February. If exploited successfully, a hacker could trigger a stack overflow and execute arbitrary code.
Click here to read more about the security flaws Trend Micro fixed in ServerProtect and other products.
Mike Haro, a spokesperson for Trend Micro, also based in Cupertino, said the company has not received word from its users about any successful exploits, but urged customers to update the product.
“It is imperative that ServerProtect customers patch as quickly as possible,” he said
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
