[Dshield] 2967/TCP (SSC-AGENT) Scans

dshield.org at keithbergen.com dshield.org at keithbergen.com
Wed Jan 10 17:49:41 GMT 2007


Is this new release with respect to any sort of attack or bug? I noticed
that the top 2 & 3 ports as reported by dshield users are 2967 & 2968, and
that those only seem to have started since mid-December. I don't recall
seeing any discussion around those ports on this list.

Keith.

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jeferson.Propheta at dana.com
Sent: Wednesday, January 10, 2007 7:24 AM
To: list at lists.dshield.org
Subject: Re: [Dshield] 2967/TCP (SSC-AGENT) Scans


New Symantec Release now available, MR for SAV CE 10.1.5.5010 ** strongly 
recommended **
2967/tcp, is a port used to manage sav clients, 139, 445, 135 used to 
delivery signatures and another features like a reporting server agent, 
quarentine and more,
5900 vnc port, various vnc version still have unfixed flaws. update 
available: ultravnc.sourceforge.net
best regards

jeferson propheta







list-request at lists.dshield.org 
Enviado Por: list-bounces at lists.dshield.org
10/01/2007 10:00
Favor responder a
list at lists.dshield.org


Para
list at lists.dshield.org
cc

Assunto
list Digest, Vol 49, Issue 8






Send list mailing list submissions to
                 list at lists.dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
                 https://lists.sans.org/mailman/listinfo/list
or, via email, send a message with subject or body 'help' to
                 list-request at lists.dshield.org

You can reach the person managing the list at
                 list-owner at lists.dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of list digest..."
Today's Topics:

   1. DShield Redesign / new login (Johannes B. Ullrich)
   2. Re: 2967/TCP (SSC-AGENT) Scans (Olivier Meyer)
   3. Re: DShield Redesign / new login (Freddie Sorensen)
   4. Re: DShield Redesign / new login (Johannes B. Ullrich)
   5. Re: DShield Redesign / new login (Freek de Kruijf)
   6. Re: Help decoding Hotmail URLs (Paul Melson)
   7. Re: DShield Redesign / new login (Johannes B. Ullrich)
   8. Re: DShield Redesign / new login (John Pedersen)
   9. incident summary page for AS number? (Yiming Gong)
  10. Re: DShield Redesign / new login (John B. Holmblad)

----- Mensagem de "Johannes B. Ullrich" <jullrich at euclidian.com> em Mon, 
08 Jan 2007 17:29:54 -0500 -----
Para:
list at lists.dshield.org
Assunto:
[Dshield] DShield Redesign / new login

  The new DShield site is now live and working. This morning we had some
performance issues as everybody rushed in to play with it, but now
things should be cleared up.

  Some of the problems where related to the login / password reset
feature. If you have already a DShield account, it should work, and your
password is your userid. This morning, it may not have worked because
the database had most e-mail addresses in all upper case. But this is
fixed now. Use all lower case for your e-mail address.


  Once logged in, you can change your password. But please note that for
now, you will still have to use your numeric user id to identify your
reports.

  In order to report bugs, please use the sourceforge bug tracker (see
link in the footer of the site.





----- Mensagem de "Olivier Meyer" <roguefugu at gmail.com> em Mon, 8 Jan 2007 
20:33:25 -0700 -----
Para:
"General DShield Discussion List" <list at lists.dshield.org>
Assunto:
Re: [Dshield] 2967/TCP (SSC-AGENT) Scans
Same here!
I regularly get SYNs to 445, 139, 135, and especially 2967.
Of course, running OpenBSD does not expose me to any risk...

On 1/7/07, Robert Nelson <nelsrob at mts.net> wrote:
> I'm wondering if some little bot/trojan/whatever isn't busy scanning. 
I've noticed scans of that port on my local DSL neighborhood,
> too, along with 5900, 445, 135, 139, 1433...
>
> Robert
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org 
[mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
> Sent: January 7, 2007 1:11 PM
> To: General DShield Discussion List
> Subject: [Dshield] 2967/TCP (SSC-AGENT) Scans
>
>
> Hi,
>
> Just looked at weekly scan stats. Port 2967/tcp is now the top blocked 
port and  almost 1.5x the number of VNC scans, the next most
> frequently scanned port. (Most amazing, ssh scans have dropped to 10th 
place!)
>
> Is there a new Symantec exploit, or is this still trying to exploit the 
vulnerability first reported last summer?
>
> Jon
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>


-- 
--
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)


----- Mensagem de "Freddie Sorensen" <freddie at parawebic.com> em Tue, 9 Jan 
2007 18:06:14 +0100 -----
Para:
"'General DShield Discussion List'" <list at lists.dshield.org>
Assunto:
Re: [Dshield] DShield Redesign / new login
I cannot confirm my profile - every time I try, it returns me to the login
page

-----Original Message-----
From: list-bounces at lists.dshield.org 
[mailto:list-bounces at lists.dshield.org]
On Behalf Of Johannes B. Ullrich
Sent: Montag, 8. Januar 2007 23:30
To: list at lists.dshield.org
Subject: [Dshield] DShield Redesign / new login


  The new DShield site is now live and working. This morning we had some
performance issues as everybody rushed in to play with it, but now things
should be cleared up.

  Some of the problems where related to the login / password reset 
feature.
If you have already a DShield account, it should work, and your password 
is
your userid. This morning, it may not have worked because the database had
most e-mail addresses in all upper case. But this is fixed now. Use all
lower case for your e-mail address.


  Once logged in, you can change your password. But please note that for
now, you will still have to use your numeric user id to identify your
reports.

  In order to report bugs, please use the sourceforge bug tracker (see 
link
in the footer of the site.








----- Mensagem de "Johannes B. Ullrich" <jullrich at sans.org> em Tue, 09 Jan 
2007 12:36:20 -0500 -----
Para:
General DShield Discussion List <list at lists.dshield.org>
Assunto:
Re: [Dshield] DShield Redesign / new login
Freddie Sorensen wrote:
> I cannot confirm my profile - every time I try, it returns me to the 
login
> page

if you are having issues like this, send me your e-mail address and
userid off-list.



> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org 
[mailto:list-bounces at lists.dshield.org]
> On Behalf Of Johannes B. Ullrich
> Sent: Montag, 8. Januar 2007 23:30
> To: list at lists.dshield.org
> Subject: [Dshield] DShield Redesign / new login
> 
> 
>   The new DShield site is now live and working. This morning we had some
> performance issues as everybody rushed in to play with it, but now 
things
> should be cleared up.
> 
>   Some of the problems where related to the login / password reset 
feature.
> If you have already a DShield account, it should work, and your password 
is
> your userid. This morning, it may not have worked because the database 
had
> most e-mail addresses in all upper case. But this is fixed now. Use all
> lower case for your e-mail address.
> 
> 
>   Once logged in, you can change your password. But please note that for
> now, you will still have to use your numeric user id to identify your
> reports.
> 
>   In order to report bugs, please use the sourceforge bug tracker (see 
link
> in the footer of the site.
> 
> 
> 
> 
> 
> 
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> 


-- 
---------
Johannes Ullrich                        http://isc.sans.org

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
                 Register Today! <http://www.sans.org/info/2501>
(Brochurecode: ISC)

PGP Key: https://secure.dshield.org/PGPKEYS


----- Mensagem de Freek de Kruijf <f.de.kruijf at hetnet.nl> em Tue, 9 Jan 
2007 18:47:25 +0100 -----
Para:
General DShield Discussion List <list at lists.dshield.org>
Assunto:
Re: [Dshield] DShield Redesign / new login
Op dinsdag 9 januari 2007 18:36, schreef Johannes B. Ullrich:
> Freddie Sorensen wrote:
> > I cannot confirm my profile - every time I try, it returns me to the 
login
> > page
> 
> if you are having issues like this, send me your e-mail address and
> userid off-list.

I had the same problem. and used "new password" or something similar. You 
don't need to give your old password. You will receive an e-mail with a 
confirmation URL. The first URL this did not work, so I did change the 
password a second time; as is suggested. After that I received a second 
confirmation URL and that one worked. Now I can login.

-- 
fr.gr.

Freek de Kruijf


----- Mensagem de "Paul Melson" <pmelson at gmail.com> em Tue, 9 Jan 2007 
13:59:01 -0500 -----
Para:
"'General DShield Discussion List'" <list at lists.dshield.org>
Assunto:
Re: [Dshield] Help decoding Hotmail URLs
-----Original Message-----
Subject: [Dshield] Help decoding Hotmail URLs


> Does anyone have any experience in decoding the Hotmail URLs as logged 
by
an M$ ISA server?

What do you mean by 'decoding' ?

In mail-sent POST's, the message is sent in plain text with some encoding 
of
punctuation and whitespace characters.  User ID's are usually present in 
the
session cookies.  I don't recall any uniquely identifiable data being in 
the
URL, however, so if that's all you have in the ISA logs, they may not be
enough.


> We have an e-mail sent from a Hotmail account, from internal to our
network, to a user on our network. I 
> can see from proxy logs who was accessing hotmail at the time, but need 
to
break it down a bit further 
> before jumping on folks PC's.

I wouldn't wait to collect data from PC's, especially if this is a 
situation
where HR and/or law enforcement need to be involved.  I'd start taking
images of all of the possible client machines now before any more evidence
is lost.


> Would it be fair to say that the entire session would have been against
by21fd.bay21.hotmail.msn.com ?

You can almost be guaranteed that this is NOT the case.  Most Hotmail (and
MSN Messenger) sessions will be across several servers, typically 
somewhere
between 2-5 servers depending on the length of the session.


PaulM



----- Mensagem de "Johannes B. Ullrich" <jullrich at sans.org> em Tue, 09 Jan 
2007 14:45:31 -0500 -----
Para:
General DShield Discussion List <list at lists.dshield.org>
Assunto:
Re: [Dshield] DShield Redesign / new login
Freek de Kruijf wrote:
> Op dinsdag 9 januari 2007 18:36, schreef Johannes B. Ullrich:
>> Freddie Sorensen wrote:
>>> I cannot confirm my profile - every time I try, it returns me to the 
login
>>> page
>> if you are having issues like this, send me your e-mail address and
>> userid off-list.
> 
> I had the same problem. and used "new password" or something similar. 
You 
> don't need to give your old password. You will receive an e-mail with a 
> confirmation URL. The first URL this did not work, so I did change the 
> password a second time; as is suggested. After that I received a second 
> confirmation URL and that one worked. Now I can login.

early yesterday we had some severe performance issues with the new site.
Some of the password reset emails may have not worked right as a result.

btw: If you where able to log in, but got logged out after a couple of
pages: this issue should be fixed now.


> 


-- 
---------
Johannes Ullrich                        http://isc.sans.org

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
                 Register Today! <http://www.sans.org/info/2501>
(Brochurecode: ISC)

PGP Key: https://secure.dshield.org/PGPKEYS


----- Mensagem de "John Pedersen" <ismgr at groupomni.com> em Tue, 9 Jan 2007 
14:02:04 -0600 -----
Para:
"'General DShield Discussion List'" <list at lists.dshield.org>
Assunto:
Re: [Dshield] DShield Redesign / new login
I had the same problem 

-----Original Message-----
From: list-bounces at lists.dshield.org 
[mailto:list-bounces at lists.dshield.org]
On Behalf Of Freddie Sorensen
Sent: Tuesday, January 09, 2007 11:06 AM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] DShield Redesign / new login

I cannot confirm my profile - every time I try, it returns me to the login
page



----- Mensagem de "Yiming Gong" <gongym at gmail.com> em Tue, 9 Jan 2007 
15:07:05 -0600 -----
Para:
list at lists.dshield.org
Assunto:
[Dshield] incident summary page for AS number?
Seems I can't find the link for AS incidents summary on new ISC site,
query like http://isc.sans.org/aslookup.html?as=asnum (which worked
before) now just gets an error messages

"Sorry, the page you where looking for could not be displayed at this 
time."

Am I missing something here?

Thanks

Yiming


----- Mensagem de "John B. Holmblad" <jholmblad at aol.com> em Tue, 09 Jan 
2007 17:58:52 -0500 -----
Para:
General DShield Discussion List <list at lists.dshield.org>
Assunto:
Re: [Dshield] DShield Redesign / new login
Johannes,


fyi, when I click on the worldmap at the myISC www site nothing 
happens.. I have tried this with both FF and IE7.

Best Regards,

 

John Holmblad

 

Televerage International

GSEC Gold, GCWN Gold, GGSC-0100, NSA-IAM, NSA-IEM

Information security, telecommunications, and information technology 
consulting

 

(M) 703 407 2278

(F)  703 620 5388

primary email address:  jholmblad at aol.com

backup email address:  jholmblad at verizon.net

 



Johannes B. Ullrich wrote:
>   The new DShield site is now live and working. This morning we had some
> performance issues as everybody rushed in to play with it, but now
> things should be cleared up.
>
>   Some of the problems where related to the login / password reset
> feature. If you have already a DShield account, it should work, and your
> password is your userid. This morning, it may not have worked because
> the database had most e-mail addresses in all upper case. But this is
> fixed now. Use all lower case for your e-mail address.
>
>
>   Once logged in, you can change your password. But please note that for
> now, you will still have to use your numeric user id to identify your
> reports.
>
>   In order to report bugs, please use the sourceforge bug tracker (see
> link in the footer of the site.
>
>
>
> 
> ------------------------------------------------------------------------
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> 

_______________________________________________
SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

</PRE>
<div style="font-family:arial;font-size:8pt;">
<hr>
<p>This e-mail, and any attachments, is intended solely for use by the
addressee(s) named above.  It may contain the confidential or proprietary
information of Dana Corporation, its subsidiaries, affiliates or business
partners.  If you are not the intended recipient of this e-mail or are an
unauthorized recipient of the information, you are hereby notified that any
dissemination, distribution or copying of this e-mail or any attachments, is
strictly prohibited.  If you have received this e-mail in error, please
immediately notify the sender by reply e-mail and permanently delete the
original and any copies or printouts.</p>

<p>Computer viruses can be transmitted via email. The recipient should check
this e-mail and any attachments for the presence of viruses. Dana
Corporation accepts no liability for any damage caused by any virus
transmitted by this e-mail.</p>

English, Francais, Espanol, Deutsch, Italiano, Portugues:<br>
<a
href="http://www.dana.com/overview/EmailDisclaimer.shtm">http://www.dana.com
/overview/EmailDisclaimer.shtm</a>
<hr>
</div>




More information about the list mailing list