[Dshield] 2967/TCP (SSC-AGENT) Scans

Ronnie.Miller at shawinc.com Ronnie.Miller at shawinc.com
Wed Jan 10 18:44:43 GMT 2007


Take a look at W32.Spybot.ANDM 
(http://www.symantec.com/security_response/writeup.jsp?docid=2007-010316-2308-99&tabid=2) 
 .  One of the vulnerabilities it attempts to exploit is documented in 
Symantec Advisory SYM06-010 - Symantec Client Security and Symantec 
AntiVirus Elevation of Privilege 
(http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html.)

Ronnie


list-bounces at lists.dshield.org wrote on 01/10/2007 01:19:47 PM:

> Judging by the release documentation, No.   All of the Fix IDs I see 
> listed related to PP1 and MP1 appear to be more stability and other 
> similar program updates rather then a remote security glitch.
> 
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid_p/2006050314483048
> 
> The activity on the 2 ports in question is related to problems 
> reported last May.
> http://www.symantec.com/avcenter/security/Content/2006.05.25.html
> 
> There was discussion at the ISC (and I thought this list in 
> November/December) about port 2967/tcp
> http://isc.sans.org/diary.html?storyid=1893
> http://isc.sans.org/diary.html?storyid=1947
> http://isc.sans.org/diary.html?storyid=1992
> 
> Port 2968/tcp is the Symantec AV Corporate Edition for Netware 
> management port and it is presumed that they are hitting the same 
> vulnerability that the windows clients have been getting hit with 
> over the past month a half.
> 
> Scott Fendley
> Univ of Arkansas
> 
> 
> At 11:49 AM 1/10/2007, dshield.org at keithbergen.com wrote:
> >Is this new release with respect to any sort of attack or bug? I 
noticed
> >that the top 2 & 3 ports as reported by dshield users are 2967 & 2968, 
and
> >that those only seem to have started since mid-December. I don't recall
> >seeing any discussion around those ports on this list.
> >
> >Keith.
> >
> >-----Original Message-----
> >From: list-bounces at lists.dshield.org 
[mailto:list-bounces at lists.dshield.org]
> >On Behalf Of Jeferson.Propheta at dana.com
> >Sent: Wednesday, January 10, 2007 7:24 AM
> >To: list at lists.dshield.org
> >Subject: Re: [Dshield] 2967/TCP (SSC-AGENT) Scans
> >
> >
> >New Symantec Release now available, MR for SAV CE 10.1.5.5010 ** 
strongly
> >recommended **
> >2967/tcp, is a port used to manage sav clients, 139, 445, 135 used to
> >delivery signatures and another features like a reporting server agent,
> >quarentine and more,
> >5900 vnc port, various vnc version still have unfixed flaws. update
> >available: ultravnc.sourceforge.net
> >best regards
> >
> >jeferson propheta
> 
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> 

**********************************************************
Privileged and/or confidential information may be contained in this message. If you are not the addressee indicated in this message (or are not responsible for delivery of this message to that person) , you may not copy or deliver this message to anyone. In such case, you should destroy this message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or other information in this message that do not relate to the official business of the company  or its subsidiaries.
**********************************************************


More information about the list mailing list