North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: TCP Syns to 445 and 11768
- From: Gadi Evron
- Date: Mon Jan 17 04:50:12 2005
Cheung, Rick wrote:
Hi. Anyone notice an increase of TCP Syns to port 11768, and 445
across random internet IPs? I googled the port, and found a similar
Okay, it's been a while since this post was made to NANOG, but I just
got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the
We located the source on our network, updated DATs, and
WindowsUpdate hotfixes, but the problem persists.
In the past few weeks we saw more and more port scanning on 11768 and
15118 (high ports that has no specific use).
So, here is the news: http://www.lurhq.com/dipnet.html . Apparently,
it's a virus based on the Sasser vulnerability!
Sophos agrees: http://www.sophos.com/virusinfo/analyses/trojdipnetb.html
I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes
up with the answers.
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.