[Dshield] 2967/TCP (SSC-AGENT) Scans

Scott Fendley scottf at uark.edu
Wed Jan 10 20:13:57 GMT 2007


Yup.  I see that spybot variant listed.   It is a new malware sample. 
But that sample is using the same attack and vulnerability that they 
have been after since late November.  Same old  same old.

If you are using Symantec Antivirus Corporate Edition > 10.1.0.396 or 
Symantec Client Security Corporate Edition  > 3.1.0.396, or the 
client is not in managed mode,  then you are safe from this.

Scott

At 12:44 PM 1/10/2007, Ronnie.Miller at shawinc.com wrote:
>Take a look at W32.Spybot.ANDM
>(http://www.symantec.com/security_response/writeup.jsp?docid=2007-010316-2308-99&tabid=2) 
>
>  .  One of the vulnerabilities it attempts to exploit is documented in
>Symantec Advisory SYM06-010 - Symantec Client Security and Symantec
>AntiVirus Elevation of Privilege
>(http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html.)
>
>Ronnie
>
>
>list-bounces at lists.dshield.org wrote on 01/10/2007 01:19:47 PM:
>
> > Judging by the release documentation, No.   All of the Fix IDs I see
> > listed related to PP1 and MP1 appear to be more stability and other
> > similar program updates rather then a remote security glitch.
> >
>http://service1.symantec.com/SUPPORT/ent-security.nsf/docid_p/2006050314483048
> >
> > The activity on the 2 ports in question is related to problems
> > reported last May.
> > http://www.symantec.com/avcenter/security/Content/2006.05.25.html
> >
> > There was discussion at the ISC (and I thought this list in
> > November/December) about port 2967/tcp
> > http://isc.sans.org/diary.html?storyid=1893
> > http://isc.sans.org/diary.html?storyid=1947
> > http://isc.sans.org/diary.html?storyid=1992
> >
> > Port 2968/tcp is the Symantec AV Corporate Edition for Netware
> > management port and it is presumed that they are hitting the same
> > vulnerability that the windows clients have been getting hit with
> > over the past month a half.
> >
> > Scott Fendley
> > Univ of Arkansas
> >
> >
> > At 11:49 AM 1/10/2007, dshield.org at keithbergen.com wrote:
> > >Is this new release with respect to any sort of attack or bug? I
>noticed
> > >that the top 2 & 3 ports as reported by dshield users are 2967 & 2968,
>and
> > >that those only seem to have started since mid-December. I don't recall
> > >seeing any discussion around those ports on this list.
> > >
> > >Keith.
> > >
> > >-----Original Message-----
> > >From: list-bounces at lists.dshield.org
>[mailto:list-bounces at lists.dshield.org]
> > >On Behalf Of Jeferson.Propheta at dana.com
> > >Sent: Wednesday, January 10, 2007 7:24 AM
> > >To: list at lists.dshield.org
> > >Subject: Re: [Dshield] 2967/TCP (SSC-AGENT) Scans
> > >
> > >
> > >New Symantec Release now available, MR for SAV CE 10.1.5.5010 **
>strongly
> > >recommended **
> > >2967/tcp, is a port used to manage sav clients, 139, 445, 135 used to
> > >delivery signatures and another features like a reporting server agent,
> > >quarentine and more,
> > >5900 vnc port, various vnc version still have unfixed flaws. update
> > >available: ultravnc.sourceforge.net
> > >best regards
> > >
> > >jeferson propheta
> >
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> > taught by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
>
>**********************************************************
>Privileged and/or confidential information may be contained in this 
>message. If you are not the addressee indicated in this message (or 
>are not responsible for delivery of this message to that person) , 
>you may not copy or deliver this message to anyone. In such case, 
>you should destroy this message and notify the sender by reply e-mail.
>If you or your employer do not consent to Internet e-mail for 
>messages of this kind, please advise the sender.
>Shaw Industries does not provide or endorse any opinions, 
>conclusions or other information in this message that do not relate 
>to the official business of the company  or its subsidiaries.
>**********************************************************
>_________________________________________
>
>SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
>taught by our top rated instructors plus a huge vendor tools expo.
>Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)



More information about the list mailing list