Last Updated: 2007-01-12 01:27:28 UTC
by Swa Frantzen (Version: 4)
The increase is almost purely TCP.
It seems possible this is related to the activity reported earlier by US-CERT regarding the CA BrightStor ARCserve Backup Tape Engine. It exploits a vulnerability disclosed on November 24th, 2006
To be sure what it is, we'd like some packets. Please note we don't need just SYN packets, they are useless for this. We need you to set up something that listens and actively tries to talk as a server on port 6502. "nc" with the right options comes to mind (options are system dependent, check your man page).
It's interesting to note the length of time that passed on this one if this is indeed still the same vulnerability they are attempting to exploit.
Jose over at arbor.net confirmed they are seeing similar increases in traffic and were able to tie it back to the tape engine exploit mentioned above.
We've received a note from CA pointing out they do know about the problem mentioned and stating "This vulnerability was fixed in BrightStor ARCserve Backup r11.5 Service Pack 2, and a patch for earlier versions of ARCserve will be available shortly." Customers are encouraged to contact the CA technical support.
We've received a note form CA pointing out patches should now be available for all affected versions of BrightStor ARCserve Backup.
Swa Frantzen -- Section 66