Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What's up with port 12174? Possible Symantec server compromise? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's up with port 12174? Possible Symantec server compromise?

This is a heads-up that we have received a number of queries from readers about an increase in probes to port 12174.  The dshield data for port 12174 clearly corroborates a large increase.

Another reader indicates that they are seeing Symantec servers being attacked and compromised via port 12174.  Once compromised a whole bunch of nasty malware is downloaded to the machine.  He provides a tcpdump signature which has been effective for them in helping detect the resulting traffic.

'src port 7000 and dst port 445'

If anyone has first-hand observations into what is going on, please let us know via our contact link.

 

-- Rick Wanner - rwanner at isc dot sans dot org

Rick

286 Posts
ISC Handler
OSVDB indicates that Symantec has a remote code execution vulnerability that has been public since April 28th. It wouldn't surprise me if someone has created a worm to exploit this. http://osvdb.org/54157
Anonymous
TCP 12174 is LANDesk related. It also happens that some Symantec products include this LANDesk component as an optional item. See http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23357
Anonymous
Also, I believe Nessus plugin 38664 may cover the vulnerability being exploited, but I do not have confirmation.
Anonymous
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp
Anonymous
Symantec noticed the active exploitation of this vulnerability on Christmas Eve, see this page buried on their web-site: http://www.symantec.com/security_response/threatconlearn.jsp
Anonymous

Sign Up for Free or Log In to start participating in the conversation!