TCP Syns to 445 and 11768

Gadi Evron gadi at
Mon Jan 17 09:48:00 UTC 2005

Cheung, Rick wrote:
>         Hi. Anyone notice an increase of TCP Syns to port 11768, and 445 
> across random internet IPs? I googled the port, and found a similar 
> posting here:
>         We located the source on our network, updated DATs, and 
> WindowsUpdate hotfixes, but the problem persists.

Okay, it's been a while since this post was made to NANOG, but I just 
got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the 
IL-ops list:

In the past few weeks we saw more and more port scanning on 11768 and 
15118 (high ports that has no specific use).

So, here is the news: . Apparently, 
it's a virus based on the Sasser vulnerability!

Sophos agrees:

I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes 
up with the answers.

Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.

gadi at
gadi at
Office: +972-2-5317890
Fax: +972-2-5317801

More information about the NANOG mailing list