TCP Syns to 445 and 11768
Gadi Evron
gadi at tehila.gov.il
Mon Jan 17 09:48:00 UTC 2005
Cheung, Rick wrote:
> Hi. Anyone notice an increase of TCP Syns to port 11768, and 445
> across random internet IPs? I googled the port, and found a similar
> posting here:
>
> http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954
>
> We located the source on our network, updated DATs, and
> WindowsUpdate hotfixes, but the problem persists.
Okay, it's been a while since this post was made to NANOG, but I just
got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the
IL-ops list:
-----
In the past few weeks we saw more and more port scanning on 11768 and
15118 (high ports that has no specific use).
So, here is the news: http://www.lurhq.com/dipnet.html . Apparently,
it's a virus based on the Sasser vulnerability!
Sophos agrees: http://www.sophos.com/virusinfo/analyses/trojdipnetb.html
-----
I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes
up with the answers.
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
gadi at tehila.gov.il
gadi at CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il
More information about the NANOG
mailing list