


                                                   JPCERT-AT-2007-0019
                                                             JPCERT/CC
                                                       August 23, 2007

                  <<< JPCERT/CC Alert 2007-08-23 >>>

              Increased activity targeting TCP port 5168

             http://www.jpcert.or.jp/at/2007/at070019.txt

I. Overview

  Using using the Internet Scan Data Acquisition System (ISDAS), 
JPCERT/CC observed that there has been an increase in scans of TCP
port 5168 since August 22, 2007. Although the cause of this increase
in scans is not known, there is a possibility that they are attacks
targeting the vulnerabilities in ServerProtect from Trend Micro, for
which a Security Patch has recently been released.


II. Situation Observed

  For the situation of TCP port 5168 scans observed by the ISDAS,
see the following website:

    ISDAS TCP port 5168 graph (August 22 - 23, 2007)
    http://www.jpcert.or.jp/isdas/2007/20070822-0823_5168_port.png


III. Solution

  Users of services provided through TCP port 5168 are advised to
implement the following measures:

   1) Users of Trend Micro ServerProtect for Windows/NetWare 5.x
      should apply the Security Patch by referring to "IV. Reference
      Information."

   2) To prevent secondary damage, limit the outbound packet traffic
      to TCP port 5168 in case you are infected with a virus.


IV. Reference Information

    Japan Vulnerability Notes JVNVU#329735
    Buffer Overflow Vulnerabilities in Trend Micro ServerProtect
    http://jvn.jp/cert/JVNVU%23329735/index.html

    Announcement of the release of Security Patch 2(Build_1185) for 
      ServerProtect for Windows/NetWare
    http://www.trendmicro.co.jp/support/news.asp?id=1002

    Application of Security Patch 2(Build_1185) for ServerProtect for
      Windows/NetWare
    http://www.trendmicro.co.jp/support/news.asp?id=1003

    Multiple Vulnerabilities in Trend Micro Products
    http://www.us-cert.gov/current/archive/2007/08/22/archive.html#multiple_vulnerabilities_in_trend_micro

    Internet Scan Data Acquisition System (ISDAS)
    http://www.jpcert.or.jp/isdas/


  If you have any information regarding this matter, please contact us.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600  FAX: 03-3518-4602
http://www.jpcert.or.jp/