Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
tcp ssc-agent Symantec System Center
udp ssc-agent Symantec System Center
[get complete service list]

User Comment

Submitted By Date
Comment
Joe Kluwecksinski 2009-10-04 18:45:22
Recent tcp 2967 traffic appears to be related to an IRC BOT mostly aimed at colleges, but others, too. This link gives a rather good explanation of the exploit http://asert.arbornetworks.com/2006/11/that-new-bot-irc-bot-attacking-symantec-overflow/ Helpful hints: Look in C/windows for w32svc.exe. That's a bad thing if you have it. Also, look in services for "Windows Network Firewall", another bad thing.
CJ 2008-04-29 18:23:10
Did anyone notice the heaviest target numbers on this port is nearly always around the 1st and the 15th?
2008-04-29 18:22:39
Exploits an overflow condition in Symantec AV Corp. Masquerades as msupdates.exe, nod33.exe and wauclt.exe. Bot also connects back to an IRC server on a non-standard port. Lives in %windir%\system32 and is set as hidden and read only. Makes many registry changes to the netbt hive under HKLM\System\CurrentControlSet\Services and to the HKLM\SOFTWARE\Microsoft\Windows run and OLE keys. Runs IP scans en mass to discover other hosts to infect.
Add a comment

CVE Links

CVE # Description
CVE-2006-2630 "Stack-based buffer overflow in Symantec Antivirus 10.1 and Client Security 3.1 allows remote attackers to execute arbitrary code via unknown attack vectors."