[77268] in North American Network Operators' Group
Re: TCP Syns to 445 and 11768
daemon@ATHENA.MIT.EDU (Gadi Evron)
Mon Jan 17 04:49:01 2005
Date: Mon, 17 Jan 2005 11:48:00 +0200
From: Gadi Evron <gadi@tehila.gov.il>
To: "Cheung, Rick" <Rick.Cheung@nextelpartners.com>
Cc: nanog@merit.edu
In-Reply-To: <9FF378E6E946B54EB34C5B06E23564D3013DACAB@mnmspmx1.nextelpartners.com>
Errors-To: owner-nanog-outgoing@merit.edu
Cheung, Rick wrote:
> Hi. Anyone notice an increase of TCP Syns to port 11768, and 445
> across random internet IPs? I googled the port, and found a similar
> posting here:
>
> http://www.trustedmatrix.org/portal/forum_viewtopic.php?7.954
>
> We located the source on our network, updated DATs, and
> WindowsUpdate hotfixes, but the problem persists.
Okay, it's been a while since this post was made to NANOG, but I just
got the answer. Hadas Shany (Internet Gold/AS5486] just sent this to the
IL-ops list:
-----
In the past few weeks we saw more and more port scanning on 11768 and
15118 (high ports that has no specific use).
So, here is the news: http://www.lurhq.com/dipnet.html . Apparently,
it's a virus based on the Sasser vulnerability!
Sophos agrees: http://www.sophos.com/virusinfo/analyses/trojdipnetb.html
-----
I must admit, Joe Stewart (also known as "DA MAN") at lurhq always comes
up with the answers.
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
gadi@tehila.gov.il
gadi@CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il
