|
ALARM Group ALERT — click for a description of ALARM, The Computing Alert System Alert Number: 011205-01 Alert Date: 1/12/05 Alert Title: Increased Internet probe activity may be associated with vulnerability in Veritas Backup Exec Update-to: none OS/Platform/Application: OS/Platform/Application: Veritas Backup Exec Versions 8.6.x and 9.1.x Category: ALERT Severity: MEDIUM Attention: Windows System Administrators running build(s) of Veritas Backup Exec listed above |
Summary: Information Security personnel at several Universities (Including the University at Albany) and other Organizations have reported an observed increase in inbound data traffic on TCP port 6101. The nature of this unusual spike in traffic is currently unclear; some researchers theorize that the traffic may be probe activity intended to identify systems that are running vulnerable builds of Veritas Backup Exec.Recommended Actions: Veritas has hotfixes available to address this vulnerability. System Administrators who maintain vulnerable builds of Backup Exec are encouraged to read the vendor's documentation (links provided below) and (if appropriate) apply the necessary hotfixes.
ITS Actions: At this time, ITS is taking no specific campus-wide actions to counter the TCP port 6101 traffic since its nature has not been absolutely verified. An update will be issued if this situation changes.
Resources:
Veritas Documentation:
http://seer.support.veritas.com/docs/273419.htmSANS ISC notes on TCP port 6101 traffic:
http://isc.sans.org/diary.php?date=2005-01-10
http://isc.sans.org/diary.php?date=2004-12-16SANS traffic report on TCP 6101 traffic:
http://isc.sans.org/port_details.php?port=6101
