Hi,
I have noticed a large number of TCP attacks on port 2967 being dropped by my
firewall. This appears to be associated with Symantec SSC Agent whatever that
does.
Are others seeing this also?
--
Cheers . . . JC
Post removed (X-No-Archive: yes)
On Sat, 23 Dec 2006 11:44:14 +1100, JC wrote:
> Hi,
>
> I have noticed a large number of TCP attacks on port 2967 being dropped by my
> firewall. This appears to be associated with Symantec SSC Agent whatever that
> does.
>
> Are others seeing this also?
look for yourself
http://isc.sans.org/port_details.php?port=2967
http://www.dshield.org//port_report.php?port=2967
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
JC skrev:
> Hi,
>
> I have noticed a large number of TCP attacks on port 2967 being dropped by my
> firewall. This appears to be associated with Symantec SSC Agent whatever that
> does.
>
> Are others seeing this also?
I do get a couple of dozen or so, all is coming from this NODEX-NET in
Russia.
83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
inetnum: 83.243.72.0 - 83.243.79.255
netname: NODEX-NET
org: ORG-NL22-RIPE
descr: Fiber Optic Network
country: RU
Would it help to block the route-address?
route: 83.243.72.0/21
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
On Sun, 24 Dec 2006 20:52:47 GMT, Anders
>JC skrev:
>> Hi,
>>
>> I have noticed a large number of TCP attacks on port 2967 being dropped by my
>> firewall. This appears to be associated with Symantec SSC Agent whatever that
>> does.
>>
>> Are others seeing this also?
>
>I do get a couple of dozen or so, all is coming from this NODEX-NET in
>Russia.
>83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
>
>inetnum: 83.243.72.0 - 83.243.79.255
>netname: NODEX-NET
>org: ORG-NL22-RIPE
>descr: Fiber Optic Network
>country: RU
>
>Would it help to block the route-address?
>route: 83.243.72.0/21
I am receiving them from a number of Asian IP address ranges and some European
IP address ranges. So far nothing from the addresses above.
--
Cheers . . . JC
Post removed (X-No-Archive: yes)
JC skrev:
> On Sun, 24 Dec 2006 20:52:47 GMT, Anders
>
>> JC skrev:
>>> Hi,
>>>
>>> I have noticed a large number of TCP attacks on port 2967 being dropped by my
>>> firewall. This appears to be associated with Symantec SSC Agent whatever that
>>> does.
>>>
>>> Are others seeing this also?
>> I do get a couple of dozen or so, all is coming from this NODEX-NET in
>> Russia.
>> 83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
>>
>> inetnum: 83.243.72.0 - 83.243.79.255
>> netname: NODEX-NET
>> org: ORG-NL22-RIPE
>> descr: Fiber Optic Network
>> country: RU
>>
>> Would it help to block the route-address?
>> route: 83.243.72.0/21
>
> I am receiving them from a number of Asian IP address ranges and some European
> IP address ranges. So far nothing from the addresses above.
I find this article about the TCP traffic on the port.
http://www.techweb.com/showArticle.jhtml?articleId=196701740
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
Sebastian Gottschalk skrev:
> Anders wrote:
>
>> Would it help to block the route-address?
>> route: 83.243.72.0/21
>
> Yes, it would help reducing your connectivity for no good reason.
In what way will "my" connectivity be reduced..?
I am not the one trying to connect to my self.
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
Post removed (X-No-Archive: yes)
Sebastian Gottschalk skrev:
> Anders wrote:
>
>>>> Would it help to block the route-address?
>>>> route: 83.243.72.0/21
>>> Yes, it would help reducing your connectivity for no good reason.
>> In what way will "my" connectivity be reduced..?
>
> You're blocking this subnet. Thus, you cannot connect to these computers
> when you actually want something from them (f.e. via P2P file sharing).
I don't have interest in P2P or any type of file sharing with Russia.
>> I am not the one trying to connect to my self.
>
> What's that supposed to mean?
It means that I block traffic from (not to).
> You're behaving as if unsolicited connection
> attempts would be malicious, rather than being the normal modus operandi of
> many protocols spoken on the internet.
I have a Small LAN merely for Sweden and Swedish users meaning that I
actually is blocking anything that is not accurate to that.
So if I see traffic that is from countries known for misbehave like spam
or things like trying to make connection's there it should not be any,
they are blocked out.
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk skrev:
> Anders wrote:
>
>>> You're blocking this subnet. Thus, you cannot connect to these computers
>>> when you actually want something from them (f.e. via P2P file sharing).
>> I don't have interest in P2P or any type of file sharing with Russia.
>
> "f.e." means "for example". What about websites hosted somewhere in this
> subnet? What about eMail?
>
> BTW, you later stated that you're just administrating the net for the
> users. What if they want to do P2P?
>
>>>> I am not the one trying to connect to my self.
>>> What's that supposed to mean?
>> It means that I block traffic from (not to).
>
> OK, and WHY? Because they're gently asking for if you've some service
> running? Utterly stupid!
It's a great way to make rules so you in the end only have from, in my
case Sweden.
You seem to lack the understanding of how, and were the blocking is done.
It is not a rule set on the Internet or my ISP, it is a rule in my
firewall, meaning that if I want to connect to some subnet (that is in
my rule-set) I will get that connection, because the rule is for
incoming not outgoing.
And I don't want to win millions of $ or .
>> So if I see traffic that is from countries known for misbehave like spam
>> or things like trying to make connection's there it should not be any,
>> they are blocked out.
>
> Except that these connections should be there. And that your reasoning is
> flawed, since it doesn't solve anything, but creates negative side effects
> (especially for the users).
Yes, but there is nothing that state that I have to allow it on my LAN.
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
Leythos skrev:
> There is no reason to allow access to ports from unknown sources "just
> because". There is no reason to allow a newtwork access to the entire
> internet "just because".
>
> If there is no reason to allow users access to Amsterdam, then why allow
> it. All open access does is permit exploits that may or may not be there
> now or sometime in the future.
>
> It's really funny that you don't understand the first rule of security -
> only allow access to what is "Needed".
>
Amen =)
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
Post removed (X-No-Archive: yes)
Leythos skrev:
> I like the "because they're GENTLY ASKING".... Yea, and the SQL Slammer
> worm was gently asking if port 1433/1434 was open, as were the worms
> that exploited IIS/Apache flaws....
In this case I think it is some sort of a worm or malware, because
probing the port 2967 on TCP is no normal activity.
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Anders wrote:
> JC skrev:
>> Hi,
>>
>> I have noticed a large number of TCP attacks on port 2967 being
>> dropped by my
>> firewall. This appears to be associated with Symantec SSC Agent
>> whatever that
>> does.
>>
>> Are others seeing this also?
>
> I do get a couple of dozen or so, all is coming from this NODEX-NET in
> Russia.
> 83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
>
> inetnum: 83.243.72.0 - 83.243.79.255
> netname: NODEX-NET
> org: ORG-NL22-RIPE
> descr: Fiber Optic Network
> country: RU
>
> Would it help to block the route-address?
> route: 83.243.72.0/21
Mine are coming from a site in the U.K.:
Checking IP: 81.29.70.36...
Name: www.5starwebsites.co.uk
IP: 81.29.70.36
Domain: 5starwebsites.co.uk
I've blacklisted the port in Shorewall, so hits don't clutter the log.
Jim Ford
I think this is a new variant of W32.IRCBOT
Any one killed it yet?
Jim Ford wrote:
> Anders wrote:
> > JC skrev:
> >> Hi,
> >>
> >> I have noticed a large number of TCP attacks on port 2967 being
> >> dropped by my
> >> firewall. This appears to be associated with Symantec SSC Agent
> >> whatever that
> >> does.
> >>
> >> Are others seeing this also?
> >
> > I do get a couple of dozen or so, all is coming from this NODEX-NET in
> > Russia.
> > 83.243.77.59 and 83.243.77.241 stands for the biggest part of them.
> >
> > inetnum: 83.243.72.0 - 83.243.79.255
> > netname: NODEX-NET
> > org: ORG-NL22-RIPE
> > descr: Fiber Optic Network
> > country: RU
> >
> > Would it help to block the route-address?
> > route: 83.243.72.0/21
>
> Mine are coming from a site in the U.K.:
>
> Checking IP: 81.29.70.36...
> Name: www.5starwebsites.co.uk
> IP: 81.29.70.36
> Domain: 5starwebsites.co.uk
>
> I've blacklisted the port in Shorewall, so hits don't clutter the log.
>
> Jim Ford
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)