nanog mailing list archives
Re: TCP Syns to 445 and 11768
From: Gadi Evron <gadi () tehila gov il>
Date: Mon, 17 Jan 2005 11:48:00 +0200
Cheung, Rick wrote:
Hi. Anyone notice an increase of TCP Syns to port 11768, and 445 across random internet IPs? I googled the port, and found a similar posting here:http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954We located the source on our network, updated DATs, and WindowsUpdate hotfixes, but the problem persists.
Okay, it's been a while since this post was made to NANOG, but I just got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the IL-ops list:
-----In the past few weeks we saw more and more port scanning on 11768 and 15118 (high ports that has no specific use).
So, here is the news: http://www.lurhq.com/dipnet.html . Apparently, it's a virus based on the Sasser vulnerability!
Sophos agrees: http://www.sophos.com/virusinfo/analyses/trojdipnetb.html -----I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes up with the answers.
-- Gadi Evron, Information Security Manager, Project Tehila - Israeli Government Internet Security. Ministry of Finance, Israel. gadi () tehila gov il gadi () CERT gov il Office: +972-2-5317890 Fax: +972-2-5317801 http://www.tehila.gov.il
Current thread:
- TCP Syns to 445 and 11768 Cheung, Rick (Jan 07)
- Re: TCP Syns to 445 and 11768 Gadi Evron (Jan 07)
- Re: TCP Syns to 445 and 11768 Jeff Kaufman (Jan 07)
- Re: TCP Syns to 445 and 11768 Gadi Evron (Jan 17)