Port 2967 - Firewalls

This is a discussion on Port 2967 - Firewalls ; On Sun, 24 Dec 2006 20:19:59 +0100, Sebastian Gottschalk wrote: >ASMx4 wrote: > >> On Sat, 23 Dec 2006 11:44:14 +1100, JC wrote: >> >>>Hi, >>> >>>I have noticed a large number of TCP attacks on port 2967 being dropped ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 26 of 26

Thread: Port 2967

  1. Re: Port 2967

    On Sun, 24 Dec 2006 20:19:59 +0100, Sebastian Gottschalk
    wrote:

    >ASMx4 wrote:
    >
    >> On Sat, 23 Dec 2006 11:44:14 +1100, JC wrote:
    >>
    >>>Hi,
    >>>
    >>>I have noticed a large number of TCP attacks on port 2967 being dropped by my
    >>>firewall. This appears to be associated with Symantec SSC Agent whatever that
    >>>does.
    >>>
    >>>Are others seeing this also?

    >>
    >> First of all, ignore SG. He's a dick.

    >
    >First of all, ignore ASMx4. He's a dick. He tells you to ignore other
    >people for no good reason, and he's spamming around with an invalid eMail
    >address.
    >
    >> Yeah, I've been getting a few dozen hits a day, too.

    >
    >Fine.
    >Means: You don't have an explanation either.
    >Means: You're also too dumb/stupid/lazy to STFW.


    "dick" strikes again


  2. Re: Port 2967

    ASMx4 wrote:

    > "dick" strikes again


    Indeed. Now, would you, "dick", please stay quiet? kthxbye

  3. Re: Port 2967

    Anders wrote:
    > JC skrev:
    >> Hi,
    >>
    >> I have noticed a large number of TCP attacks on port 2967 being
    >> dropped by my
    >> firewall. This appears to be associated with Symantec SSC Agent
    >> whatever that
    >> does.
    >>
    >> Are others seeing this also?

    >
    > I do get a couple of dozen or so, all is coming from this NODEX-NET in
    > Russia.
    > 83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
    >
    > inetnum: 83.243.72.0 - 83.243.79.255
    > netname: NODEX-NET
    > org: ORG-NL22-RIPE
    > descr: Fiber Optic Network
    > country: RU
    >
    > Would it help to block the route-address?
    > route: 83.243.72.0/21


    Mine are coming from a site in the U.K.:

    Checking IP: 81.29.70.36...
    Name: www.5starwebsites.co.uk
    IP: 81.29.70.36
    Domain: 5starwebsites.co.uk

    I've blacklisted the port in Shorewall, so hits don't clutter the log.

    Jim Ford

  4. Re: Port 2967-New Variant? W32.IrcBot

    I think this is a new variant of W32.IRCBOT

    Any one killed it yet?


    Jim Ford wrote:
    > Anders wrote:
    > > JC skrev:
    > >> Hi,
    > >>
    > >> I have noticed a large number of TCP attacks on port 2967 being
    > >> dropped by my
    > >> firewall. This appears to be associated with Symantec SSC Agent
    > >> whatever that
    > >> does.
    > >>
    > >> Are others seeing this also?

    > >
    > > I do get a couple of dozen or so, all is coming from this NODEX-NET in
    > > Russia.
    > > 83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
    > >
    > > inetnum: 83.243.72.0 - 83.243.79.255
    > > netname: NODEX-NET
    > > org: ORG-NL22-RIPE
    > > descr: Fiber Optic Network
    > > country: RU
    > >
    > > Would it help to block the route-address?
    > > route: 83.243.72.0/21

    >
    > Mine are coming from a site in the U.K.:
    >
    > Checking IP: 81.29.70.36...
    > Name: www.5starwebsites.co.uk
    > IP: 81.29.70.36
    > Domain: 5starwebsites.co.uk
    >
    > I've blacklisted the port in Shorewall, so hits don't clutter the log.
    >
    > Jim Ford



  5. Re: Port 2967-New Variant? W32.IrcBot

    asksuzan@gmail.com wrote:

    > I think this is a new variant of W32.IRCBOT


    This is an exploit for a recently patched vulnerability in Symantec SSC
    Agent and its variants, as has been extensively discussed. There are
    various malware generations trying to exploit it, not just your generic
    W32.IRCBOT.

    > Any one killed it yet?


    Killed? How's that supposed to work? The Symantec stuff is running with
    SYSTEM privileges, thus a successful exploit means that the entire system
    was compromised. There's no way to recover from such a scenario without a
    complete safe boot-strapping process, which usually means to flatten and
    rebuild the entire system (or having a recent backup, having checksums or a
    well-known safe state for determining the modification).

  6. Re: Port 2967

    On Tue, 26 Dec 2006 01:05:01 +0100, Sebastian Gottschalk
    wrote:

    >ASMx4 wrote:
    >
    >> "dick" strikes again

    >
    >Indeed. Now, would you, "dick", please stay quiet? kthxbye


    People, I just want to say, you know, can we all get along?

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2