jamesvPremium
join:2003-03-08
Austin, TX | attacks on port 11768? Thing morning I saw about twenty attempts to get through my firewall to port 11768 from private IP addresses. Normally I see 2-5 probes for port 1434 from private IPs over the entire day.
Is this is a new kind of attack?
My firewall also blocked an attempt to connect to port 25 from 172.16.2.152. That's another private IP address. I suppose it's possible that the ISP and a remote net forgot to block those.
My firewall is configured to block incoming packets from private IP addresses or outgoing packets to them, even if the destination port would otherwise pass. |
|
|
|
 atangelNow What??Premium
join:2002-02-18
Bronx, NY | Most likely, just Internet static, but you might find this useful.
»Security »Why am I being pinged, probed or attacked on this port?
As well as (with reports of common port trends as well):
»isc.incidents.org/
»www.dshield.org/ |
|
jamesvPremium
join:2003-03-08
Austin, TX | port 11768 apparently is a new port scan target but I don't know what for yet. Google reveals a couple of useful pages but they are in Polish.
The port 25 thing was probably a chain of misconfigured systems and routers. |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| On the couple of IP's that I watch here there has been no traffic on port 11768, however looking at DShield.org it appears that something might be up and the traffic started on Dec 28th.
I'll setup a pot and see what it catches.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 starreemPremium
join:2000-12-22
Raleigh, NC
·Earthlink Cable ..
 ·EarthLink
| Link Logger- I had posted a similar query earlier in the day.
»Excessive traffic on port 11768
I still have the logs if your are interested.
--
From the Depths of Lurk |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | I haven't seen anything on 11768, yet. You say you're seeing these hits from private (unrouteable) IP addresses? What IPs? Can you see the TTL value in the packets? I bet they're coming from a misconfigured box on the same subnet as you. Or someone's spoofing the source IP in the scans (possible for UDP or ICMP but not likely for TCP since a handshake can't normally occur).
Also, are they TCP or UDP scans?
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
| reply to jamesv
I also am getting a massive ammount of these now. Im on verizon and its at least 1 every 10 seconds, this just started increasing today (1/6/2005). I think we got ourselves another net-bomb on our hands. At first i thought it was related to HL2, but after viewing my logs, it's been going on all day, since December, increasing in frequency.I will notify MyNetWatchman.com. Mr. Baldwin would be happy to get his hands on this information. |
|
jamesvPremium
join:2003-03-08
Austin, TX | reply to kpatz
said by kpatz:I haven't seen anything on 11768, yet. You say you're seeing these hits from private (unrouteable) IP addresses? What IPs? Can you see the TTL value in the packets? I bet they're coming from a misconfigured box on the same subnet as you. Or someone's spoofing the source IP in the scans (possible for UDP or ICMP but not likely for TCP since a handshake can't normally occur). Also, are they TCP or UDP scans? The unroutable source addresses were things like 192.168.30.126. There are lots from a variety of unrelated routable IPs.
It's a TCP port. 808 probes since Jan 2 evening on MCI but only 8 since Dec 28 on Road Runner and none from SBC/Yahoo!
None logged on a couple of routers I monitor on Verizon and Sprint. |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | reply to jamesv
So far nothing here, but still watching.
Blake |
|
| reply to jamesv
Just found an infected PC on our internal network trying to get out to random Internet IP addresses on port 11768 and being blocked by our firewall. Infected PC (Win2k) had all the critical MS updates installed and up-to-date virus definitions (McAfee). McAfee reported it as generic.backdoor.d trojan - the offending program was called ltht.exe but was not cleaned by McAfee or Stinger. Had to be manually cleaned. |
|
atangelNow What??Premium
join:2002-02-18
Bronx, NY | Did you submit it to malware vendors? If not, do you have a copy of it still that you can submit?
The information and e-mail link is located in here:
»Security »I think my computer is infected or hijacked. What should I do?
under "To Submit Suspected Malware:" |
|
jamesvPremium
join:2003-03-08
Austin, TX | reply to GoodSamaritan
Yes it's well worth your time to submit the binary to all of the AV vendors: you don't want these probes showing up on your WAN port in a week or two...
I wonder what it was trying to talk to on 11768? |
|
starreemPremium
join:2000-12-22
Raleigh, NC Reviews:
·Earthlink Cable ..
·EarthLink
| Anyone understand polish?
»www.di.com.pl/n/?lp=8563
It's recent (sort of-Dec 29) and I gather the word backdoor trojan is in one paragraph.
--
From the Depths of Lurk |
|
 NetFixerFreedom is NOT freePremium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·Cingular Wireless
·Comcast
·AT&T Southeast
| reply to jamesv
In the past week I show 50 TCP port 11768 entries in my firewall log with seemingly random source ports and IP addresses. Not enough hits to have caught my attention except for noticing this thread. I will keep an eye on it and if I continue to get hits, I will capture some packets.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
Free on-line port scan |
|
| reply to jamesv
I've had about 50 attempts on port 11768 in the last 45mins. Its been greatly increasing for the last couple days. I have wall watcher monitoring my router activity and do have all my logs. |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to jamesv
Could this be the Adanych trojan (believe that is the correct translation)?
I have PortPeeker watching this port, but is anyone else running PortPeeker or something like it to capture this traffic for analysis?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
1 edit | reply to jamesv
OK we caught some scans to TCP Port 11768 which are a little different and as such we can't say for sure what they are. This could be a key to a backdoor or it could be something totally harmless, however we think not.
edit -> add traffic events and hostname report from Link Logger.
Jan 10, 2005 08:05:09.001 - (TCP) 194.150.76.190 : 2699 >>> 192.168.1.35 : 11768
Jan 10, 2005 08:04:21.833 - (TCP) 195.178.60.146 : 62925 >>> 192.168.1.35 : 11768
Jan 10, 2005 08:00:28.087 - (TCP) 62.248.36.172 : 3162 >>> 192.168.1.35 : 11768
Jan 10, 2005 07:27:22.252 - (TCP) 81.190.106.85 : 3341 >>> 192.168.1.35 : 11768
Jan 10, 2005 07:16:47.138 - (TCP) 193.254.218.182 : 1382 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:49:23.024 - (TCP) 218.86.94.43 : 2711 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:46:01.064 - (TCP) 81.190.106.85 : 1850 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:33:17.686 - (TCP) 202.78.40.94 : 4730 >>> 192.168.1.35 : 11768
Jan 10, 2005 05:36:27.212 - (TCP) 202.78.40.94 : 3362 >>> 192.168.1.35 : 11768
Jan 10, 2005 05:17:32.150 - (TCP) 80.55.221.50 : 4475 >>> 192.168.1.35 : 11768
Jan 10, 2005 04:55:54.875 - (TCP) 218.86.95.184 : 4081 >>> 192.168.1.35 : 11768
Jan 10, 2005 04:35:17.515 - (TCP) 80.55.221.50 : 3258 >>> 192.168.1.35 : 11768
Jan 10, 2005 03:18:09.010 - (TCP) 81.137.233.196 : 4640 >>> 192.168.1.35 : 11768
Jan 10, 2005 03:13:38.821 - (TCP) 81.215.81.108 : 1648 >>> 192.168.1.35 : 11768
Jan 10, 2005 02:31:37.716 - (TCP) 81.30.161.46 : 4106 >>> 192.168.1.35 : 11768
Jan 10, 2005 01:56:36.735 - (TCP) 69.160.84.134 : 4888 >>> 192.168.1.35 : 11768
Jan 10, 2005 01:40:31.307 - (TCP) 219.145.61.170 : 4274 >>> 192.168.1.35 : 11768
Jan 10, 2005 00:58:21.680 - (TCP) 219.145.61.170 : 39769 >>> 192.168.1.35 : 11768
Hostname Report
IP/Hostname/Port/Events/Last Event
219.145.61.170 - Not Found - 11768 2 10/01/2005 1:40:31 AM
218.86.95.184 - Not Found - 11768 1 10/01/2005 4:55:54 AM
218.86.94.43 - Not Found - 11768 1 10/01/2005 6:49:23 AM
202.78.40.94 - Not Found - 11768 2 10/01/2005 6:33:17 AM
195.178.60.146 cirus.datacom.co.yu 11768 1 10/01/2005 8:04:21 AM
194.150.76.190 ppp190.leasat.net 11768 1 10/01/2005 8:05:09 AM
193.254.218.182 gidrok.romb.net 11768 1 10/01/2005 7:16:47 AM
81.215.81.108 dsl81-215-20844.adsl.ttnet.net.tr 11768 1 10/01/2005 3:13:38 AM
81.190.106.85 host-81-190-106-85.rzeszow.mm.pl 11768 2 10/01/2005 7:27:22 AM
81.137.233.196 host81-137-233-196.in-addr.btopenworld.com 11768 1 10/01/2005 3:18:09 AM
81.30.161.46 ts2-a46.dialup.vntp.net 11768 1 10/01/2005 2:31:37 AM
80.55.221.50 xn50.internetdsl.tpnet.pl 11768 2 10/01/2005 5:17:32 AM
69.160.84.134 69-160-84-134.frdrmd.adelphia.net 11768 1 10/01/2005 1:56:36 AM
62.248.36.172 CENKCILER 11768 1 10/01/2005 8:00:28 AM
PortPeeker Captures
219.145.61.170 : 39769 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 01:07:27.417
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
219.145.61.170 : 4274 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 01:49:36.613
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
69.160.84.134 : 4888 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 02:05:44.806
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
81.30.161.46 : 4106 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 02:40:45.356
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
etc so you see its the same package and we saw it from 14 different IP Addresses last night.
Blake
--
Vendor: Firewall Logging Software
»www.SonicLogger.com - SonicWall and 3Com
»www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
| reply to jamesv
I had a quite a few computers hitting me on this port a few days ago, but it seems to have died down by now. |
|
| I've been logging port activity on 11768 since January 6th and have received over 1060 probes since then. The traffic attempts to this port peeked on Jan. 8 / 05 @ 5:00am CST. and have been steadily declining since.
The activity has been coming from 1006 unique IP's but seems to have died down to 1 or 2 every hour or so.
I've also read 1 other similar incident this week with port 19388.
BTW: Link Logger is awesome Blake!
J. |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | reply to Link Logger
I haven't seen a single scan on 11768. I'm seeing a lot of 29992 though, which is a spam proxy. I also see 17771 on occasion, which is likely also a spam proxy (note the palindromic port #s).
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
