Port Details - Port 2967

Jun 29 47 Jun 30 50 Jul 01 60 Jul 02 45 Jul 03 41 Jul 04 29 Jul 05 31 Jul 06 40 Jul 07 38 Jul 08 38 Jul 09 46 Jul 10 40 Jul 11 36 Jul 12 44 Jul 13 71 Jul 14 43 Jul 15 77 Jul 16 42 Jul 17 50 Jul 18 39 Jul 19 42 Jul 20 29 Jul 21 58 Jul 22 48 Jul 23 49 Jul 24 37 Jul 25 35 Jul 26 38 Jul 27 42 Jul 28 50 Jul 29 29 Jun 29 58,167 Jun 30 27,341 Jul 01 35,382 Jul 02 8,089 Jul 03 64,886 Jul 04 8,531 Jul 05 63,494 Jul 06 73,593 Jul 07 11,880 Jul 08 8,185 Jul 09 9,592 Jul 10 76,105 Jul 11 52,585 Jul 12 64,884 Jul 13 52,763 Jul 14 8,581 Jul 15 8,842 Jul 16 46,075 Jul 17 61,614 Jul 18 10,823 Jul 19 12,805 Jul 20 7,875 Jul 21 73,637 Jul 22 8,593 Jul 23 27,435 Jul 24 48,933 Jul 25 77,083 Jul 26 10,561 Jul 27 60,340 Jul 28 13,567 Jul 29 40,382
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpssc-agentSymantec System Center
udpssc-agentSymantec System Center
[get complete service list]

User Comment

Submitted ByDate
Comment
Joe Kluwecksinski2009-10-04 18:45:22
Recent tcp 2967 traffic appears to be related to an IRC BOT mostly aimed at colleges, but others, too. This link gives a rather good explanation of the exploit http://asert.arbornetworks.com/2006/11/that-new-bot-irc-bot-attacking-symantec-overflow/ Helpful hints: Look in C/windows for w32svc.exe. That's a bad thing if you have it. Also, look in services for "Windows Network Firewall", another bad thing.
CJ2008-04-29 18:23:10
Did anyone notice the heaviest target numbers on this port is nearly always around the 1st and the 15th?
2008-04-29 18:22:39
Exploits an overflow condition in Symantec AV Corp. Masquerades as msupdates.exe, nod33.exe and wauclt.exe. Bot also connects back to an IRC server on a non-standard port. Lives in %windir%\system32 and is set as hidden and read only. Makes many registry changes to the netbt hive under HKLM\System\CurrentControlSet\Services and to the HKLM\SOFTWARE\Microsoft\Windows run and OLE keys. Runs IP scans en mass to discover other hosts to infect.
Add a comment

CVE Links

CVE #Description
CVE-2006-2630 "Stack-based buffer overflow in Symantec Antivirus 10.1 and Client Security 3.1 allows remote attackers to execute arbitrary code via unknown attack vectors."