Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Port 2968 big rise - related to Symantec AV? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 2968 big rise - related to Symantec AV?

Port 2968 is getting quite a jump recently. Take a look at the graph below.

Port 2968 Graph

We suspect the jump is due to the recent Symantec AV 10.1 exploitation. The previous exploits generally hit on port 2967 since that's the port that Symantec AV listens on (for Windows). According to documentation from Symantec, port 2968 is only used for AV running on Netware servers. We are not sure at this point whether the attackers are targeting Netware server since other hosts have all been exploited already or if Symantec AV listens on port 2968 as a backup port. If you have any info on the port 2968 traffic, please let us know.

 Jason

93 Posts
ISC Handler
Jan 11th 2007
Subscribe Jan 11th 2007
1 decade ago
I have been experiencing many odd firewall notifications in my Mac. A file named Ruby appears to have enabled options such as: bluetooth, screens appear then disappear, Unix has users and passwords in the programming that block me from making changes in login, unable to delete files without passwords (that I did not set up). This file is embedded in the OS X software and Unix itself, and is NOT a part of my programming. Which makes me wonder if other computers start up systems that are left vulnerable to intrusion also?
 Anonymous
Quote Oct 4th 2015
4 years ago

Sign Up for Free or Log In to start participating in the conversation!