Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Port 8555 and 2967 activity - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 8555 and 2967 activity
A reader reported an infection on one of their machines.  On investigating it further it looks like there is increased activity (quite significant increase) on ports 8555 and 2967.

2967 is used by Symantec AV (Corp edition, managed clients only).  The limited number of packets we currently have show traffic hitting the 2967 port and responding to port 8555.   Looking at the dshield information  for 8555 there is a significant increase in traffic to this port since December 20, suggesting that there may be infected machines already out there.  Port 2967 has had its ups and downs over the last few weeks, but is also increasing.

To do further analysis we need packets.  So if you have any captures relating to these ports please pass them along to us using the contact form. 

Mark
ISC Handler on Duty

Mark

392 Posts
ISC Handler
Port 8555 appears to be constantly trying to connect to an AWS server from my Hikvision cameras. The IPs it's trying to reach are 54.236.134.176 and 54.208.66.255
Anonymous
Interesting. We have certainly seen some infected hikvision systems. Do you have the ability to capture packets, or get a list of running processes on the system. Use our contact form to submit data privately or email to handlers - @ - isc.sans.edu.
Johannes

3374 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!