jamesvPremium
join:2003-03-08
Austin, TX | reply to atangel
Re: attacks on port 11768? port 11768 apparently is a new port scan target but I don't know what for yet. Google reveals a couple of useful pages but they are in Polish.
The port 25 thing was probably a chain of misconfigured systems and routers. |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| On the couple of IP's that I watch here there has been no traffic on port 11768, however looking at DShield.org it appears that something might be up and the traffic started on Dec 28th.
I'll setup a pot and see what it catches.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 starreemPremium
join:2000-12-22
Raleigh, NC
·Earthlink Cable ..
 ·EarthLink
| Link Logger- I had posted a similar query earlier in the day.
»Excessive traffic on port 11768
I still have the logs if your are interested.
--
From the Depths of Lurk |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | I haven't seen anything on 11768, yet. You say you're seeing these hits from private (unrouteable) IP addresses? What IPs? Can you see the TTL value in the packets? I bet they're coming from a misconfigured box on the same subnet as you. Or someone's spoofing the source IP in the scans (possible for UDP or ICMP but not likely for TCP since a handshake can't normally occur).
Also, are they TCP or UDP scans?
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
jamesvPremium
join:2003-03-08
Austin, TX | said by kpatz:I haven't seen anything on 11768, yet. You say you're seeing these hits from private (unrouteable) IP addresses? What IPs? Can you see the TTL value in the packets? I bet they're coming from a misconfigured box on the same subnet as you. Or someone's spoofing the source IP in the scans (possible for UDP or ICMP but not likely for TCP since a handshake can't normally occur). Also, are they TCP or UDP scans? The unroutable source addresses were things like 192.168.30.126. There are lots from a variety of unrelated routable IPs.
It's a TCP port. 808 probes since Jan 2 evening on MCI but only 8 since Dec 28 on Road Runner and none from SBC/Yahoo!
None logged on a couple of routers I monitor on Verizon and Sprint. |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| reply to jamesv
Re: port 25 SANS to the rescue -maybe -
said by Erik Fichtner, SANS handler:
SMTP = Strange Mail Transfer Protocol ?
One of our readers mentioned that they had seen some strange HTTP traffic to their SMTP mail server on port 25 coming from a number of remote IP addresses. While it could just be a brain-damaged vulnerability assessment tool running amok; we all remember the incidents with IRC traffic being sent to SMTP servers, and we're wondering if anyone else has seen any out of place HTTP traffic to their mail servers in the past few days.
/EG
--
N-X-211 ====== N-328KF |
|
|
|
