Port 8555 and 2967 activity
A reader reported an infection on one of their machines. On investigating it further it looks like there is increased activity (quite significant increase) on ports 8555 and 2967.
2967 is used by Symantec AV (Corp edition, managed clients only). The limited number of packets we currently have show traffic hitting the 2967 port and responding to port 8555. Looking at the dshield information for 8555 there is a significant increase in traffic to this port since December 20, suggesting that there may be infected machines already out there. Port 2967 has had its ups and downs over the last few weeks, but is also increasing.
To do further analysis we need packets. So if you have any captures relating to these ports please pass them along to us using the contact form.
Mark
ISC Handler on Duty
2967 is used by Symantec AV (Corp edition, managed clients only). The limited number of packets we currently have show traffic hitting the 2967 port and responding to port 8555. Looking at the dshield information for 8555 there is a significant increase in traffic to this port since December 20, suggesting that there may be infected machines already out there. Port 2967 has had its ups and downs over the last few weeks, but is also increasing.
To do further analysis we need packets. So if you have any captures relating to these ports please pass them along to us using the contact form.
Mark
ISC Handler on Duty
Keywords:
2 comment(s)
×
Diary Archives
Comments
Anonymous
Dec 3rd 2015
9 years ago
Anonymous
Dec 3rd 2015
9 years ago