TROJAN US-CERT TA14-353A Lightweight Backdoor 10 and ESXi 5.5 hosts?

  • 1
  • Question
  • Updated 3 years ago
Anyone seen this signature on esxi hosts?  I seem to have one, but it's targeting NFS, not SMB
Photo of Warren

Warren

  • 2 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Warren

Warren

  • 2 Posts
  • 0 Reply Likes
Keith,

Thanks for quick the reply.  

I'm going to dig a bit further into the sig. I know IPS can be massively crazy to tune, we spent a year with BT/Counterpane tuning our work IPS's, and we still had weird false positives.

I am a bit afraid that this might be legit.  When I look at the on the fly  pcap data (cool feature by the way) I'm able to see data that appears to match the US-Cert notice.  The only oddity is that, like you stated, this sig is for SMB, not NFS, BUT I have SMB mixed in there.

FYI, I've got a QNAP NAS appliance (4.x code, recently updated) running both NFS and SMB shares.  It appears to be transmitting over port 625 (ESXi host) to the NFS share (QNAP storage with SMB enabled). 

Just in case others run across a similar situation, we can start putting pieces together.  I'll try to remember to post what I find.