Loading...
[get complete service list]
Port Information
Protocol Service Name
tcp ssc-agent Symantec System Center
udp ssc-agent Symantec System Center
Top IPs Scanning
Today Yesterday
89.248.163.26 (23)89.248.163.26 (58)
79.137.198.113 (13)77.221.148.157 (10)
143.42.1.201 (7)194.180.49.69 (9)
118.123.105.89 (6)89.248.165.82 (8)
83.222.191.94 (6)83.222.191.94 (7)
77.221.148.156 (5)207.211.171.189 (4)
45.79.177.245 (5)78.128.114.90 (4)
68.175.136.117 (4)118.123.105.89 (2)
45.79.109.4 (4)193.163.125.248 (2)
45.14.224.155 (4)193.163.125.236 (2)
Port diary mentions
URL
SAV Worm Update
Good Morning 2007
Significant increase in port 2967 traffic
User Comments
Submitted By Date
Comment
Joe Kluwecksinski 2009-10-04 18:45:22
Recent tcp 2967 traffic appears to be related to an IRC BOT mostly aimed at colleges, but others, too. This link gives a rather good explanation of the exploit http://asert.arbornetworks.com/2006/11/that-new-bot-irc-bot-attacking-symantec-overflow/ Helpful hints: Look in C/windows for w32svc.exe. That's a bad thing if you have it. Also, look in services for "Windows Network Firewall", another bad thing.
CJ 2008-04-29 18:23:10
Did anyone notice the heaviest target numbers on this port is nearly always around the 1st and the 15th?
2008-04-29 18:22:39
Exploits an overflow condition in Symantec AV Corp. Masquerades as msupdates.exe, nod33.exe and wauclt.exe. Bot also connects back to an IRC server on a non-standard port. Lives in %windir%\system32 and is set as hidden and read only. Makes many registry changes to the netbt hive under HKLM\System\CurrentControlSet\Services and to the HKLM\SOFTWARE\Microsoft\Windows run and OLE keys. Runs IP scans en mass to discover other hosts to infect.
CVE Links
CVE # Description