Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: TCP Syns to 445 and 11768

  • From: Gadi Evron
  • Date: Mon Jan 17 04:50:12 2005 
Cheung, Rick wrote:
Hi. Anyone notice an increase of TCP Syns to port 11768, and 445 across random internet IPs? I googled the port, and found a similar posting here:

http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954

We located the source on our network, updated DATs, and WindowsUpdate hotfixes, but the problem persists.
Okay, it's been a while since this post was made to NANOG, but I just got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the IL-ops list:

-----
In the past few weeks we saw more and more port scanning on 11768 and 15118 (high ports that has no specific use).

So, here is the news: http://www.lurhq.com/dipnet.html . Apparently, it's a virus based on the Sasser vulnerability!

Sophos agrees: http://www.sophos.com/virusinfo/analyses/trojdipnetb.html
-----

I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes up with the answers.

--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.

gadi@tehila.gov.il
gadi@CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il



Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.