RE: Port 2848

• Previous message: sharon_joyner@timeinc.com: "Login Banner"
• Maybe in reply to: Nathan: "Port 2848"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Malin, Scott M" <Scott.Malin@aetna.com>
To: "'Mahoney, Paul'" <paul@fiberstarr.com>, nathan.grandbois@cerdant.com, "'Security Focus (E-mail)'" <security-basics@securityfocus.com>
Date: Fri, 20 Dec 2002 14:49:32 -0500

Ok here's the solution, you can search on Document ID:2000122012575248 and
hit this one doc from the public Symantec KB.
 
----------------------------------------------------------------------------

----
 Document ID:2000122012575248
Last Modified:12/18/2002 
Which ports are used for communication in Symantec Quarantine Server 2.0? 
Situation:
You want to know which TCP ports are used by the Symantec Quarantine Server
version 2.0 to communicate with the Symantec Security Response (formerly
known as SARC) auto-response server to submit quarantined files. You want to
know whether opening these ports at the firewall will expose your network to
security risks.
Solution:
By default, Symantec Quarantine Server 2.0 communicates with the Symantec
Security Response auto-response server using the static ports 2847 and 2848
and only require Outbound traffic be enabled. These ports are used by the
Quarantine Server to submit viruses using the Scan and Deliver option. These
ports are closed after the submission is completed. Symantec Quarantine
Server also connects to the Internet using port 80 to obtain virus
definition updates. Opening these ports at the firewall to allow outbound
traffic from the Symantec Quarantine Server should not pose a security
threat.
Product(s): Norton AntiVirus Corporate Edition 7.0
Operating System(s): Windows 2000, Windows NT 4.0, Windows NT 3.51
Date Created: 12/20/2000 
-----Original Message-----
From: Mahoney, Paul [mailto:paul@fiberstarr.com] 
Sent: Thursday, December 19, 2002 5:09 PM
To: nathan.grandbois@cerdant.com; 'Security Focus (E-mail)'
Subject: RE: Port 2848
Hi all,
I don't want to jump the gun and make this something its not, but this
posting bears very similar resemblance to an issue I was working on with a
client.
At approximately 13 minute intervals my client was seeing repeat traffic
through his network to very similar addresses from a handful of clients.
This was so bad it was choking his internet connection.
After some analysis of log files we had some machines to work on, we
discovered on each machine there was an illegally downloaded copy of Norton
anti virus, that continually (13 min approx intervals) was downloading
update files and not applying them, therefore, it would continually repeat
the process throughout the day.
Could this be a ddos?
Paul Mahoney
-----Original Message-----
From: Nathan [mailto:nathan.grandbois@cerdant.com] 
Sent: Wednesday, December 18, 2002 8:30 AM
To: Security Focus (E-mail)
Subject: Port 2848
I don't know if this is the proper forum for this question so if it's not
I'm sorry.
Appended is an excerpt of a log off of one of our firewalls. I think that
this guy is using AIM but I can't determine. The only thing I could come up
with for port 2847 is the AIMPP-Port Req (from all the port lists) and
nothing for 2848. 192.168.100.2 tries to connect to 206.204.212.226 on port
2847 then 2 minutes later to 206.204.52.98 on port 2848 then again to
206.204.212.226 13 minutes later and the pattern repeats. Do you think this
has anything to do with AIM or could it be some other software application
that uses these ports and the port listing for 2847 is not entirely correct?
12/16/2002 00:01:03.656 - TCP connection dropped - Source:192.168.100.2,
1333, LAN - Destination:206.204.52.98, 2848, WAN 12/16/2002 00:14:08.256 -
TCP connection dropped - Source:192.168.100.2, 1741, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 00:16:04.848 - TCP
connection dropped - Source:192.168.100.2, 1796, LAN -
Destination:206.204.52.98, 2848, WAN 12/16/2002 00:29:09.752 - TCP
connection dropped - Source:192.168.100.2, 2204, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 00:31:06.096 - TCP
connection dropped - Source:192.168.100.2, 2257, LAN -
Destination:206.204.52.98, 2848, WAN 12/16/2002 00:44:10.928 - TCP
connection dropped - Source:192.168.100.2, 2690, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 00:46:07.320 - TCP
connection dropped - Source:192.168.100.2, 2745, LAN -
Destination:206.204.52.98, 2848, WAN 12/16/2002 00:59:12.192 - TCP
connection dropped - Source:192.168.100.2, 3154, LAN -
Destination:206.204.52.98, 2847, WAN 12/16/2002 01:01:08.368 - TCP
connection dropped - Source:192.168.100.2, 3209, LAN -
Destination:206.204.52.98, 2848, WAN 12/16/2002 01:14:13.464 - TCP
connection dropped - Source:192.168.100.2, 3615, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 01:16:09.384 - TCP
connection dropped - Source:192.168.100.2, 3672, LAN -
Destination:206.204.212.226, 2848, WAN 12/16/2002 01:29:14.656 - TCP
connection dropped - Source:192.168.100.2, 4069, LAN -
Destination:206.204.52.98, 2847, WAN 12/16/2002 01:31:10.544 - TCP
connection dropped - Source:192.168.100.2, 4131, LAN -
Destination:206.204.212.226, 2848, WAN 12/16/2002 01:44:15.768 - TCP
connection dropped - Source:192.168.100.2, 4558, LAN -
Destination:206.204.52.98, 2847, WAN 12/16/2002 01:46:11.768 - TCP
connection dropped - Source:192.168.100.2, 4623, LAN -
Destination:206.204.212.226, 2848, WAN 12/16/2002 01:59:17.048 - TCP
connection dropped - Source:192.168.100.2, 1052, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 02:01:12.896 - TCP
connection dropped - Source:192.168.100.2, 1124, LAN -
Destination:206.204.52.98, 2848, WAN 12/16/2002 02:14:18.224 - TCP
connection dropped - Source:192.168.100.2, 1529, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 02:16:14.128 - TCP
connection dropped - Source:192.168.100.2, 1589, LAN -
Destination:206.204.52.98, 2848, WAN 12/16/2002 02:29:20.928 - TCP
connection dropped - Source:192.168.100.2, 1996, LAN -
Destination:206.204.52.98, 2847, WAN 12/16/2002 02:31:15.624 - TCP
connection dropped - Source:192.168.100.2, 2046, LAN -
Destination:206.204.212.226, 2848, WAN 12/16/2002 02:44:22.224 - TCP
connection dropped - Source:192.168.100.2, 2475, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 02:46:16.720 - TCP
connection dropped - Source:192.168.100.2, 2529, LAN -
Destination:206.204.212.226, 2848, WAN 12/16/2002 02:59:23.576 - TCP
connection dropped - Source:192.168.100.2, 2932, LAN -
Destination:206.204.52.98, 2847, WAN 12/16/2002 03:01:17.864 - TCP
connection dropped - Source:192.168.100.2, 2992, LAN -
Destination:206.204.52.98, 2848, WAN 12/16/2002 03:14:24.736 - TCP
connection dropped - Source:192.168.100.2, 3400, LAN -
Destination:206.204.212.226, 2847, WAN 12/16/2002 03:16:19.208 - TCP
connection dropped - Source:192.168.100.2, 3463, LAN -
Destination:206.204.212.226, 2848, WAN 12/16/2002 03:29:26.256 - TCP
connection dropped - Source:192.168.100.2, 3862, LAN -
Destination:206.204.212.226, 2847, WAN
Nathan Grandbois
Cerdant, Inc.
This message may contain confidential material and is intended only for the
person or entity to which it is addressed.  Any review, retransmission,
dissemination or other use of, or taking of any action by persons or
entities other than the intended recipient is prohibited.  If you are not
the intended recipient, please delete the information from your system and
contact the sender.
This e-mail, including attachments, is intended for the exclusive use of the
person or entity to which it is addressed and may contain confidential or
privileged information.  If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified that
any dissemination, distribution or copying of this e-mail is prohibited.  If
you think that you have received this e-mail in error, please advise the
sender by reply e-mail of the error and then delete this e-mail immediately.
Thank you.  Aetna

• Next message: Chris Berry: "Re: PGP and GNUpg"
• Previous message: sharon_joyner@timeinc.com: "Login Banner"
• Maybe in reply to: Nathan: "Port 2848"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]