TCP Syns to 445 and 11768

• Previous message (by thread): TCP Syns to 445 and 11768
• Next message (by thread): Weekly Routing Table Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cheung, Rick wrote:
>         Hi. Anyone notice an increase of TCP Syns to port 11768, and 445 
> across random internet IPs? I googled the port, and found a similar 
> posting here:
> 
> http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954
> 
>         We located the source on our network, updated DATs, and 
> WindowsUpdate hotfixes, but the problem persists.

Okay, it's been a while since this post was made to NANOG, but I just 
got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the 
IL-ops list:

-----
In the past few weeks we saw more and more port scanning on 11768 and 
15118 (high ports that has no specific use).

So, here is the news: http://www.lurhq.com/dipnet.html . Apparently, 
it's a virus based on the Sasser vulnerability!

Sophos agrees: http://www.sophos.com/virusinfo/analyses/trojdipnetb.html
-----

I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes 
up with the answers.

-- 
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.

gadi at tehila.gov.il
gadi at CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il

• Previous message (by thread): TCP Syns to 445 and 11768
• Next message (by thread): Weekly Routing Table Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]