The SANS Internet Storm Center is reporting that there has been a spike in activity on TCP port 5168 over the last few days, perhaps attributable to attackers looking to exploit a couple of vulnerabilities in Trend Micro’s ServeProtect. The ISC came across the activity on port 5168 through a report from a user whose network had been compromised. The handlers checked out the information the user sent in and discovered that the problem stemmed from the presence of a ServU Trojan that was cloaking itself as a Java Virtual Machine. But a little more inspection showed that the same attacker was trying to connect to a different machine on the same network over TCP 5168.
The amount of activity that the ISC has seen on that port has nearly quadrupled in the last three days, a pretty good indication that things are going awry somewhere.