Port 2967 - Firewalls

This is a discussion on Port 2967 - Firewalls ; Hi, I have noticed a large number of TCP attacks on port 2967 being dropped by my firewall. This appears to be associated with Symantec SSC Agent whatever that does. Are others seeing this also? -- Cheers . . . ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 26

Thread: Port 2967

  1. Port 2967

    Hi,

    I have noticed a large number of TCP attacks on port 2967 being dropped by my
    firewall. This appears to be associated with Symantec SSC Agent whatever that
    does.

    Are others seeing this also?
    --

    Cheers . . . JC

  2. Re: Port 2967

    JC wrote:

    > I have noticed a large number of TCP attacks on port 2967 being dropped by my
    > firewall. This appears to be associated with Symantec SSC Agent whatever that
    > does.
    >
    > Are others seeing this also?


    Read some news, will ya?

  3. Re: Port 2967

    On Sat, 23 Dec 2006 11:44:14 +1100, JC wrote:
    > Hi,
    >
    > I have noticed a large number of TCP attacks on port 2967 being dropped by my
    > firewall. This appears to be associated with Symantec SSC Agent whatever that
    > does.
    >
    > Are others seeing this also?


    look for yourself
    http://isc.sans.org/port_details.php?port=2967
    http://www.dshield.org//port_report.php?port=2967

  4. Re: Port 2967

    On Sat, 23 Dec 2006 11:44:14 +1100, JC wrote:

    >Hi,
    >
    >I have noticed a large number of TCP attacks on port 2967 being dropped by my
    >firewall. This appears to be associated with Symantec SSC Agent whatever that
    >does.
    >
    >Are others seeing this also?


    First of all, ignore SG. He's a dick. Actually, since he acts like a
    dick in the newsgroups, he pobably doesn't have one.

    Yeah, I've been getting a few dozen hits a day, too.


  5. Re: Port 2967

    ASMx4 wrote:

    > On Sat, 23 Dec 2006 11:44:14 +1100, JC wrote:
    >
    >>Hi,
    >>
    >>I have noticed a large number of TCP attacks on port 2967 being dropped by my
    >>firewall. This appears to be associated with Symantec SSC Agent whatever that
    >>does.
    >>
    >>Are others seeing this also?

    >
    > First of all, ignore SG. He's a dick.


    First of all, ignore ASMx4. He's a dick. He tells you to ignore other
    people for no good reason, and he's spamming around with an invalid eMail
    address.

    > Yeah, I've been getting a few dozen hits a day, too.


    Fine.
    Means: You don't have an explanation either.
    Means: You're also too dumb/stupid/lazy to STFW.

  6. Re: Port 2967

    JC skrev:
    > Hi,
    >
    > I have noticed a large number of TCP attacks on port 2967 being dropped by my
    > firewall. This appears to be associated with Symantec SSC Agent whatever that
    > does.
    >
    > Are others seeing this also?


    I do get a couple of dozen or so, all is coming from this NODEX-NET in
    Russia.
    83.243.77.59 and 83.243.77.241 stands for the biggest part of them.

    inetnum: 83.243.72.0 - 83.243.79.255
    netname: NODEX-NET
    org: ORG-NL22-RIPE
    descr: Fiber Optic Network
    country: RU

    Would it help to block the route-address?
    route: 83.243.72.0/21
    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'

  7. Re: Port 2967

    On Sun, 24 Dec 2006 20:52:47 GMT, Anders wrote:

    >JC skrev:
    >> Hi,
    >>
    >> I have noticed a large number of TCP attacks on port 2967 being dropped by my
    >> firewall. This appears to be associated with Symantec SSC Agent whatever that
    >> does.
    >>
    >> Are others seeing this also?

    >
    >I do get a couple of dozen or so, all is coming from this NODEX-NET in
    >Russia.
    >83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
    >
    >inetnum: 83.243.72.0 - 83.243.79.255
    >netname: NODEX-NET
    >org: ORG-NL22-RIPE
    >descr: Fiber Optic Network
    >country: RU
    >
    >Would it help to block the route-address?
    >route: 83.243.72.0/21


    I am receiving them from a number of Asian IP address ranges and some European
    IP address ranges. So far nothing from the addresses above.
    --

    Cheers . . . JC

  8. Re: Port 2967

    Anders wrote:

    > Would it help to block the route-address?
    > route: 83.243.72.0/21


    Yes, it would help reducing your connectivity for no good reason.

  9. Re: Port 2967

    JC skrev:
    > On Sun, 24 Dec 2006 20:52:47 GMT, Anders wrote:
    >
    >> JC skrev:
    >>> Hi,
    >>>
    >>> I have noticed a large number of TCP attacks on port 2967 being dropped by my
    >>> firewall. This appears to be associated with Symantec SSC Agent whatever that
    >>> does.
    >>>
    >>> Are others seeing this also?

    >> I do get a couple of dozen or so, all is coming from this NODEX-NET in
    >> Russia.
    >> 83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
    >>
    >> inetnum: 83.243.72.0 - 83.243.79.255
    >> netname: NODEX-NET
    >> org: ORG-NL22-RIPE
    >> descr: Fiber Optic Network
    >> country: RU
    >>
    >> Would it help to block the route-address?
    >> route: 83.243.72.0/21

    >
    > I am receiving them from a number of Asian IP address ranges and some European
    > IP address ranges. So far nothing from the addresses above.


    I find this article about the TCP traffic on the port.
    http://www.techweb.com/showArticle.j...leId=196701740

    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'

  10. Re: Port 2967

    Sebastian Gottschalk skrev:
    > Anders wrote:
    >
    >> Would it help to block the route-address?
    >> route: 83.243.72.0/21

    >
    > Yes, it would help reducing your connectivity for no good reason.


    In what way will "my" connectivity be reduced..?
    I am not the one trying to connect to my self.
    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'

  11. Re: Port 2967

    Anders wrote:

    >>> Would it help to block the route-address?
    >>> route: 83.243.72.0/21

    >>
    >> Yes, it would help reducing your connectivity for no good reason.

    >
    > In what way will "my" connectivity be reduced..?


    You're blocking this subnet. Thus, you cannot connect to these computers
    when you actually want something from them (f.e. via P2P file sharing).

    > I am not the one trying to connect to my self.


    What's that supposed to mean? You're behaving as if unsolicited connection
    attempts would be malicious, rather than being the normal modus operandi of
    many protocols spoken on the internet.

  12. Re: Port 2967

    Sebastian Gottschalk skrev:
    > Anders wrote:
    >
    >>>> Would it help to block the route-address?
    >>>> route: 83.243.72.0/21
    >>> Yes, it would help reducing your connectivity for no good reason.

    >> In what way will "my" connectivity be reduced..?

    >
    > You're blocking this subnet. Thus, you cannot connect to these computers
    > when you actually want something from them (f.e. via P2P file sharing).


    I don't have interest in P2P or any type of file sharing with Russia.

    >> I am not the one trying to connect to my self.

    >
    > What's that supposed to mean?


    It means that I block traffic from (not to).

    > You're behaving as if unsolicited connection
    > attempts would be malicious, rather than being the normal modus operandi of
    > many protocols spoken on the internet.


    I have a Small LAN merely for Sweden and Swedish users meaning that I
    actually is blocking anything that is not accurate to that.
    So if I see traffic that is from countries known for misbehave like spam
    or things like trying to make connection's there it should not be any,
    they are blocked out.
    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'

  13. Re: Port 2967

    In article <4va11sF1bjd5sU1@mid.dfncis.de>, seppi@seppig.de says...
    > Anders wrote:
    >
    > >>> Would it help to block the route-address?
    > >>> route: 83.243.72.0/21
    > >>
    > >> Yes, it would help reducing your connectivity for no good reason.

    > >
    > > In what way will "my" connectivity be reduced..?

    >
    > You're blocking this subnet. Thus, you cannot connect to these computers
    > when you actually want something from them (f.e. via P2P file sharing).


    You should only allow access to what you want access too, and that means
    you could belock access to that entire subnet. Maybe he doesn't need
    anything from Amsterdam.

    The first rule of network security is block everything and then allow
    what is really needed.

    > > I am not the one trying to connect to my self.

    >
    > What's that supposed to mean? You're behaving as if unsolicited connection
    > attempts would be malicious, rather than being the normal modus operandi of
    > many protocols spoken on the internet.


    Unsolicited connections can and often are a probe to determine if there
    is something to connect too. In most cases unless you are working with
    customers outside of your country or area, it's perfectly fine to block
    access to/from many countries subnets - while it's not perfect, it does
    cut down on the probes, traffic, and attempts at malicious activity.

    I block about 30 subnets (/24 /16 /8) in most of our firewalls because
    we've seen what they are attempting - such as nodes in China accessing
    our FTP ports, trying for hours to connect, when they have no business
    reason to connect to our FTP servers.


    --

    spam999free@rrohio.com
    remove 999 in order to email me

  14. Re: Port 2967

    Anders wrote:

    >> You're blocking this subnet. Thus, you cannot connect to these computers
    >> when you actually want something from them (f.e. via P2P file sharing).

    >
    > I don't have interest in P2P or any type of file sharing with Russia.


    "f.e." means "for example". What about websites hosted somewhere in this
    subnet? What about eMail?

    BTW, you later stated that you're just administrating the net for the
    users. What if they want to do P2P?

    >>> I am not the one trying to connect to my self.

    >>
    >> What's that supposed to mean?

    >
    > It means that I block traffic from (not to).


    OK, and WHY? Because they're gently asking for if you've some service
    running? Utterly stupid!

    > So if I see traffic that is from countries known for misbehave like spam
    > or things like trying to make connection's there it should not be any,
    > they are blocked out.


    Except that these connections should be there. And that your reasoning is
    flawed, since it doesn't solve anything, but creates negative side effects
    (especially for the users).

  15. Re: Port 2967

    In article <4va6ioF1b8g0aU1@mid.dfncis.de>, seppi@seppig.de says...
    > >> What's that supposed to mean?

    > >
    > > It means that I block traffic from (not to).

    >
    > OK, and WHY? Because they're gently asking for if you've some service
    > running? Utterly stupid!
    >
    > > So if I see traffic that is from countries known for misbehave like spam
    > > or things like trying to make connection's there it should not be any,
    > > they are blocked out.

    >
    > Except that these connections should be there. And that your reasoning is
    > flawed, since it doesn't solve anything, but creates negative side effects
    > (especially for the users).


    Sebastian - you're entire concept of security is flawed. If something is
    probing your network that you don't want to probe it, then by all means
    it should be blocked.

    There is no reason to allow access to ports from unknown sources "just
    because". There is no reason to allow a newtwork access to the entire
    internet "just because".

    If there is no reason to allow users access to Amsterdam, then why allow
    it. All open access does is permit exploits that may or may not be there
    now or sometime in the future.

    It's really funny that you don't understand the first rule of security -
    only allow access to what is "Needed".

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  16. Re: Port 2967

    Sebastian Gottschalk skrev:
    > Anders wrote:
    >
    >>> You're blocking this subnet. Thus, you cannot connect to these computers
    >>> when you actually want something from them (f.e. via P2P file sharing).

    >> I don't have interest in P2P or any type of file sharing with Russia.

    >
    > "f.e." means "for example". What about websites hosted somewhere in this
    > subnet? What about eMail?
    >
    > BTW, you later stated that you're just administrating the net for the
    > users. What if they want to do P2P?
    >
    >>>> I am not the one trying to connect to my self.
    >>> What's that supposed to mean?

    >> It means that I block traffic from (not to).

    >
    > OK, and WHY? Because they're gently asking for if you've some service
    > running? Utterly stupid!


    It's a great way to make rules so you in the end only have from, in my
    case Sweden.
    You seem to lack the understanding of how, and were the blocking is done.
    It is not a rule set on the Internet or my ISP, it is a rule in my
    firewall, meaning that if I want to connect to some subnet (that is in
    my rule-set) I will get that connection, because the rule is for
    incoming not outgoing.

    And I don't want to win millions of $ or .

    >> So if I see traffic that is from countries known for misbehave like spam
    >> or things like trying to make connection's there it should not be any,
    >> they are blocked out.

    >
    > Except that these connections should be there. And that your reasoning is
    > flawed, since it doesn't solve anything, but creates negative side effects
    > (especially for the users).


    Yes, but there is nothing that state that I have to allow it on my LAN.
    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'

  17. Re: Port 2967

    Leythos skrev:

    > There is no reason to allow access to ports from unknown sources "just
    > because". There is no reason to allow a newtwork access to the entire
    > internet "just because".
    >
    > If there is no reason to allow users access to Amsterdam, then why allow
    > it. All open access does is permit exploits that may or may not be there
    > now or sometime in the future.
    >
    > It's really funny that you don't understand the first rule of security -
    > only allow access to what is "Needed".
    >


    Amen =)

    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'

  18. Re: Port 2967

    In article ,
    andersajja@hotmail.com says...
    > Sebastian Gottschalk skrev:
    > > Anders wrote:
    > >
    > >>> You're blocking this subnet. Thus, you cannot connect to these computers
    > >>> when you actually want something from them (f.e. via P2P file sharing).
    > >> I don't have interest in P2P or any type of file sharing with Russia.

    > >
    > > "f.e." means "for example". What about websites hosted somewhere in this
    > > subnet? What about eMail?
    > >
    > > BTW, you later stated that you're just administrating the net for the
    > > users. What if they want to do P2P?
    > >
    > >>>> I am not the one trying to connect to my self.
    > >>> What's that supposed to mean?
    > >> It means that I block traffic from (not to).

    > >
    > > OK, and WHY? Because they're gently asking for if you've some service
    > > running? Utterly stupid!

    >
    > It's a great way to make rules so you in the end only have from, in my
    > case Sweden.
    > You seem to lack the understanding of how, and were the blocking is done.
    > It is not a rule set on the Internet or my ISP, it is a rule in my
    > firewall, meaning that if I want to connect to some subnet (that is in
    > my rule-set) I will get that connection, because the rule is for
    > incoming not outgoing.
    >
    > And I don't want to win millions of $ or .


    I like the "because they're GENTLY ASKING".... Yea, and the SQL Slammer
    worm was gently asking if port 1433/1434 was open, as were the worms
    that exploited IIS/Apache flaws....

    If it probes you and you don't need it to have access to your network,
    then block it - it's a basic concept.

    > >> So if I see traffic that is from countries known for misbehave like spam
    > >> or things like trying to make connection's there it should not be any,
    > >> they are blocked out.

    > >
    > > Except that these connections should be there. And that your reasoning is
    > > flawed, since it doesn't solve anything, but creates negative side effects
    > > (especially for the users).

    >
    > Yes, but there is nothing that state that I have to allow it on my LAN.


    And you should block it at your firewall, always, unless you have a
    business/personal need.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  19. Re: Port 2967

    Leythos skrev:

    > I like the "because they're GENTLY ASKING".... Yea, and the SQL Slammer
    > worm was gently asking if port 1433/1434 was open, as were the worms
    > that exploited IIS/Apache flaws....


    In this case I think it is some sort of a worm or malware, because
    probing the port 2967 on TCP is no normal activity.

    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'

  20. Re: Port 2967

    In article ,
    andersajja@hotmail.com says...
    > Leythos skrev:
    >
    > > I like the "because they're GENTLY ASKING".... Yea, and the SQL Slammer
    > > worm was gently asking if port 1433/1434 was open, as were the worms
    > > that exploited IIS/Apache flaws....

    >
    > In this case I think it is some sort of a worm or malware, because
    > probing the port 2967 on TCP is no normal activity.


    Symantec Client Communication uses 2967.

    Rtvscan
    Rtvscan makes a request to Winsock for TCP port 2967 on IP-based
    networks. This is the only port needed for default client-to-server
    communication. On NetWare servers, Rtvscan.nlm listens on TCP port 2968.

    It would seem that the host is trying to take control of a Symantec
    Exploit that was patched a long time ago, but, hey, it's "Gently" asking


    http://www.juniper.net/security/auto.../vuln3356.html

    More details listed above - and hey, it's just gently probing for an
    exploit


    --

    spam999free@rrohio.com
    remove 999 in order to email me

+ Reply to Thread
Page 1 of 2 1 2 LastLast