Port Details - Port 2967

Aug 07 38 Aug 08 90 Aug 09 182 Aug 10 67 Aug 11 51 Aug 12 52 Aug 13 55 Aug 14 192 Aug 15 90 Aug 16 52 Aug 17 43 Aug 18 53 Aug 19 52 Aug 20 51 Aug 21 96 Aug 22 75 Aug 23 94 Aug 24 56 Aug 25 86 Aug 26 155 Aug 27 90 Aug 28 85 Aug 29 118 Aug 30 144 Aug 31 142 Sep 01 64 Sep 02 37 Sep 03 34 Sep 04 75 Sep 05 132 Sep 06 129 Aug 07 71,062 Aug 08 10,215 Aug 09 10,927 Aug 10 9,982 Aug 11 74,792 Aug 12 10,848 Aug 13 11,343 Aug 14 10,733 Aug 15 52,928 Aug 16 11,504 Aug 17 12,403 Aug 18 14,489 Aug 19 14,447 Aug 20 15,080 Aug 21 45,059 Aug 22 77,465 Aug 23 80,329 Aug 24 68,719 Aug 25 18,425 Aug 26 35,437 Aug 27 37,544 Aug 28 16,191 Aug 29 18,764 Aug 30 40,269 Aug 31 18,915 Sep 01 19,667 Sep 02 82,069 Sep 03 80,664 Sep 04 38,341 Sep 05 12,906 Sep 06 15,625
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpssc-agentSymantec System Center
udpssc-agentSymantec System Center
[get complete service list]

User Comment

Submitted ByDate
Comment
Joe Kluwecksinski2009-10-04 18:45:22
Recent tcp 2967 traffic appears to be related to an IRC BOT mostly aimed at colleges, but others, too. This link gives a rather good explanation of the exploit http://asert.arbornetworks.com/2006/11/that-new-bot-irc-bot-attacking-symantec-overflow/ Helpful hints: Look in C/windows for w32svc.exe. That's a bad thing if you have it. Also, look in services for "Windows Network Firewall", another bad thing.
CJ2008-04-29 18:23:10
Did anyone notice the heaviest target numbers on this port is nearly always around the 1st and the 15th?
2008-04-29 18:22:39
Exploits an overflow condition in Symantec AV Corp. Masquerades as msupdates.exe, nod33.exe and wauclt.exe. Bot also connects back to an IRC server on a non-standard port. Lives in %windir%\system32 and is set as hidden and read only. Makes many registry changes to the netbt hive under HKLM\System\CurrentControlSet\Services and to the HKLM\SOFTWARE\Microsoft\Windows run and OLE keys. Runs IP scans en mass to discover other hosts to infect.
Add a comment

CVE Links

CVE #Description
CVE-2006-2630 "Stack-based buffer overflow in Symantec Antivirus 10.1 and Client Security 3.1 allows remote attackers to execute arbitrary code via unknown attack vectors."