Hackers are trying to break into Windows servers running Trend Micro's ServerProtect anti-virus software, researchers have warned.

The DeepSight threat network run by Trend rival Symantec monitored a major spike in traffic over TCP port 5168, which used by the remote procedure call service in ServerProtect.

"This may indicate an ongoing mass-scanning and exploitation attempt trying to exploit vulnerable systems for the newly disclosed vulnerabilities," said Symantec analyst Pukhraj Singh, in an alert.

Symantec also said its honeypots - unpatched systems that draw attackers' fire - had recorded at least one successful compromise of ServerProtect. "We are in the process of verifying whether or not [that] attack is in fact leveraging one of the recently reported issues, and not an older one," Singh said.

At its peak, the port scan spike observed by Symantec involved 1,000 devices or systems around the world and originated from more than 300 different IP addresses. Within hours, however, the probing had tapered off somewhat.

The SANS Institute's Internet Storm Center (ISC) also said it had spotted "heavy scanning activity" on TCP 5168, and theorised that it was related to ServerProtect. ISC received samples of suspicious data packets that might be attack code, and farmed it out to analysts for review.

Trend Micro actually updated ServerProtect almost a month ago, but the vulnerabilities only came to light on Monday when VeriSign iDefense published details about them. iDefense had reported the bugs to Trend Micro in mid-June; at least one of the vulnerabilities was partly revealed by researchers who were paid a bounty for their bug-hunting by iDefense's cash-for-vulnerabilities programme.

After the ISC alert, Trend Micro virtually begged ServerProtect users to patch ASAP. "We implore security administrators to apply the latest ServerProtect security patch available from Trend Micro as soon as possible to protect against any potential attack," it said in an alert.

It's been a rough, and embarrassing, month for security vendors, several of which have had to push out patches to plug holes in their own code. Trend Micro's anti-spyware scanning engine required a fix this week, as did Check Point's ZoneAlarm desktop software and the open-source Clam AntiVirus.

Interestingly, iDefense first notified ZoneAlarm of some of the recently patched bugs almost two years ago, in September 2005.