Port 8555 and 2967 activity

Published: 2006-12-22
Last Updated: 2006-12-22 23:40:01 UTC
by Mark Hofman (Version: 1)
2 comment(s)
A reader reported an infection on one of their machines.  On investigating it further it looks like there is increased activity (quite significant increase) on ports 8555 and 2967.

2967 is used by Symantec AV (Corp edition, managed clients only).  The limited number of packets we currently have show traffic hitting the 2967 port and responding to port 8555.   Looking at the dshield information  for 8555 there is a significant increase in traffic to this port since December 20, suggesting that there may be infected machines already out there.  Port 2967 has had its ups and downs over the last few weeks, but is also increasing.

To do further analysis we need packets.  So if you have any captures relating to these ports please pass them along to us using the contact form. 

ISC Handler on Duty

2 comment(s)


Port 8555 appears to be constantly trying to connect to an AWS server from my Hikvision cameras. The IPs it's trying to reach are and
Interesting. We have certainly seen some infected hikvision systems. Do you have the ability to capture packets, or get a list of running processes on the system. Use our contact form to submit data privately or email to handlers - @ - isc.sans.edu.

Diary Archives