That vulnerability, a buffer overflow flaw in Backup Exec's Remote Agent, could be exploited, said Symantec, by hackers passing an extra-long password to the Agent, software which listens on TCP port 10000 and accepts connections from the backup server when a backup is scheduled.
One day later, Symantec began monitoring a sudden increase in port scanning for port 10000. SANS' Internet Storm Center detected the same spike in port sniffing. "Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit," the center warned in an online briefing Monday.
According to Symantec's DeepSight Threat Network, the Cupertino, Calif.-based security giant's global network of sensors, the number of distinct IP addresses found scanning for port 10000 jumped from essentially zero on Sunday, June 26, to almost 8,000 by the end of the next day.
"The increase is likely indicative of a bot network performing a consistent and controlled propagation to vulnerable hosts on the Internet," said Symantec in a DeepSight alert sent to customers.