Today one of our Handlers notice an interesting anomaly in the Dshield data. Since late March Dshield has seen a significant increase in the number of sources using port 2967 for scanning. Traditionally there has been some activity on this port, but in late March the number of sources increased approximately six times and the number of targets increased by about 50%. After a few days the sources settled down to about double the traditional value.
Most likely this has something to do with the recent Symantec vulnerabilities, but we here at the ISC would be interested in any insight anybody can shed on this activity. We would be especially interested in packet captures from traffic of this nature.
If you have any information that may help, please contact us.
-- Rick Wanner rwanner at isc dot sans dot org
May 2nd 2009
9 years ago