TCP Syns to 445 and 11768
Hi. Anyone notice an increase of TCP Syns to port 11768, and 445 across random internet IPs? I googled the port, and found a similar posting here: http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954 We located the source on our network, updated DATs, and WindowsUpdate hotfixes, but the problem persists. ___________________________________________________________________ Thanks, Rick Cheung This message, including any attachments, contains confidential information intended for a specific individual and purpose and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The sender accepts no liability for any damage caused by any virus transmitted by this email. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
Cheung, Rick wrote:
Hi. Anyone notice an increase of TCP Syns to port 11768, and 445 across random internet IPs? I googled the port, and found a similar posting here:
http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954
We located the source on our network, updated DATs, and WindowsUpdate hotfixes, but the problem persists.
445 is always active. Whether the million worms who scan for it, kiddies, etc., you'll always see a ton of connections. We have seen an increase this past month in tcp/445 activity though. No idea about 11768, but Google seems to be full with it. Gadi.
On Fri, 7 Jan 2005, Cheung, Rick wrote:
This message, including any attachments, contains confidential information intended for a specific individual and purpose and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
If we're not allowed to "take an action based on this message" by replying to it, what's the point of posting it to the list? Jeff
Cheung, Rick wrote:
Hi. Anyone notice an increase of TCP Syns to port 11768, and 445 across random internet IPs? I googled the port, and found a similar posting here:
http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954
We located the source on our network, updated DATs, and WindowsUpdate hotfixes, but the problem persists.
Okay, it's been a while since this post was made to NANOG, but I just got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the IL-ops list: ----- In the past few weeks we saw more and more port scanning on 11768 and 15118 (high ports that has no specific use). So, here is the news: http://www.lurhq.com/dipnet.html . Apparently, it's a virus based on the Sasser vulnerability! Sophos agrees: http://www.sophos.com/virusinfo/analyses/trojdipnetb.html ----- I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes up with the answers. -- Gadi Evron, Information Security Manager, Project Tehila - Israeli Government Internet Security. Ministry of Finance, Israel. gadi@tehila.gov.il gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 http://www.tehila.gov.il
participants (4)
-
Cheung, Rick
-
Gadi Evron
-
Gadi Evron
-
Jeff Kaufman