jamesv3
Premium Member
join:2003-03-08
Austin, TX |
jamesv3
Premium Member
2005-Jan-5 4:23 pm
attacks on port 11768?Thing morning I saw about twenty attempts to get through my firewall to port 11768 from private IP addresses. Normally I see 2-5 probes for port 1434 from private IPs over the entire day.
Is this is a new kind of attack?
My firewall also blocked an attempt to connect to port 25 from 172.16.2.152. That's another private IP address. I suppose it's possible that the ISP and a remote net forgot to block those.
My firewall is configured to block incoming packets from private IP addresses or outgoing packets to them, even if the destination port would otherwise pass. |
|
 DoesItMatterNow What??
Premium Member
join:2002-02-18
Mount Vernon, NY |
Most likely, just Internet static, but you might find this useful. » Security » Why am I being pinged, probed or attacked on this port?As well as (with reports of common port trends as well): » isc.incidents.org/» www.dshield.org/ |
|
jamesv3
Premium Member
join:2003-03-08
Austin, TX |
jamesv3
Premium Member
2005-Jan-6 12:58 am
port 11768 apparently is a new port scan target but I don't know what for yet. Google reveals a couple of useful pages but they are in Polish.
The port 25 thing was probably a chain of misconfigured systems and routers. |
|
| |
On the couple of IP's that I watch here there has been no traffic on port 11768, however looking at DShield.org it appears that something might be up and the traffic started on Dec 28th.
I'll setup a pot and see what it catches.
Blake |
|
 starreem
Premium Member
join:2000-12-22
Raleigh, NC |
starreem
Premium Member
2005-Jan-6 1:56 pm
Link Logger- I had posted a similar query earlier in the day. » Excessive traffic on port 11768I still have the logs if your are interested. |
|
kpatzMY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH
1 edit |
kpatz
Premium Member
2005-Jan-6 3:29 pm
I haven't seen anything on 11768, yet. You say you're seeing these hits from private (unrouteable) IP addresses? What IPs? Can you see the TTL value in the packets? I bet they're coming from a misconfigured box on the same subnet as you. Or someone's spoofing the source IP in the scans (possible for UDP or ICMP but not likely for TCP since a handshake can't normally occur).
Also, are they TCP or UDP scans? |
|
| |
to jamesv3
I also am getting a massive ammount of these now. Im on verizon and its at least 1 every 10 seconds, this just started increasing today (1/6/2005). I think we got ourselves another net-bomb on our hands. At first i thought it was related to HL2, but after viewing my logs, it's been going on all day, since December, increasing in frequency.I will notify MyNetWatchman.com. Mr. Baldwin would be happy to get his hands on this information. |
|
jamesv3
Premium Member
join:2003-03-08
Austin, TX |
to kpatz
said by kpatz:I haven't seen anything on 11768, yet. You say you're seeing these hits from private (unrouteable) IP addresses? What IPs? Can you see the TTL value in the packets? I bet they're coming from a misconfigured box on the same subnet as you. Or someone's spoofing the source IP in the scans (possible for UDP or ICMP but not likely for TCP since a handshake can't normally occur). Also, are they TCP or UDP scans? The unroutable source addresses were things like 192.168.30.126. There are lots from a variety of unrelated routable IPs. It's a TCP port. 808 probes since Jan 2 evening on MCI but only 8 since Dec 28 on Road Runner and none from SBC/Yahoo! None logged on a couple of routers I monitor on Verizon and Sprint. |
|
| |
to jamesv3
So far nothing here, but still watching.
Blake |
|
| |
GoodSamaritan to jamesv3
Anon
2005-Jan-7 3:43 pm
to jamesv3
Just found an infected PC on our internal network trying to get out to random Internet IP addresses on port 11768 and being blocked by our firewall. Infected PC (Win2k) had all the critical MS updates installed and up-to-date virus definitions (McAfee). McAfee reported it as generic.backdoor.d trojan - the offending program was called ltht.exe but was not cleaned by McAfee or Stinger. Had to be manually cleaned. |
|
DoesItMatterNow What??
Premium Member
join:2002-02-18
Mount Vernon, NY |
Did you submit it to malware vendors? If not, do you have a copy of it still that you can submit? The information and e-mail link is located in here: » Security » I think my computer is infected or hijacked. What should I do?under "To Submit Suspected Malware:" |
|
jamesv3
Premium Member
join:2003-03-08
Austin, TX |
to GoodSamaritan
Yes it's well worth your time to submit the binary to all of the AV vendors: you don't want these probes showing up on your WAN port in a week or two...
I wonder what it was trying to talk to on 11768? |
|
starreem
Premium Member
join:2000-12-22
Raleigh, NC |
starreem
Premium Member
2005-Jan-7 5:41 pm
Anyone understand polish? » www.di.com.pl/n/?lp=8563It's recent (sort of-Dec 29) and I gather the word backdoor trojan is in one paragraph. |
|
|
 NetFixerFrom My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Pace 5268AC
TRENDnet TEW-829DRU
|
to jamesv3
In the past week I show 50 TCP port 11768 entries in my firewall log with seemingly random source ports and IP addresses. Not enough hits to have caught my attention except for noticing this thread. I will keep an eye on it and if I continue to get hits, I will capture some packets. |
|
| |
Zert0n to jamesv3
Anon
2005-Jan-7 8:48 pm
to jamesv3
I've had about 50 attempts on port 11768 in the last 45mins. Its been greatly increasing for the last couple days. I have wall watcher monitoring my router activity and do have all my logs. |
|
| |
to jamesv3
Could this be the Adanych trojan (believe that is the correct translation)?
I have PortPeeker watching this port, but is anyone else running PortPeeker or something like it to capture this traffic for analysis?
Blake |
|
Link Logger
1 edit |
to jamesv3
OK we caught some scans to TCP Port 11768 which are a little different and as such we can't say for sure what they are. This could be a key to a backdoor or it could be something totally harmless, however we think not.
edit -> add traffic events and hostname report from Link Logger.
Jan 10, 2005 08:05:09.001 - (TCP) 194.150.76.190 : 2699 >>> 192.168.1.35 : 11768
Jan 10, 2005 08:04:21.833 - (TCP) 195.178.60.146 : 62925 >>> 192.168.1.35 : 11768
Jan 10, 2005 08:00:28.087 - (TCP) 62.248.36.172 : 3162 >>> 192.168.1.35 : 11768
Jan 10, 2005 07:27:22.252 - (TCP) 81.190.106.85 : 3341 >>> 192.168.1.35 : 11768
Jan 10, 2005 07:16:47.138 - (TCP) 193.254.218.182 : 1382 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:49:23.024 - (TCP) 218.86.94.43 : 2711 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:46:01.064 - (TCP) 81.190.106.85 : 1850 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:33:17.686 - (TCP) 202.78.40.94 : 4730 >>> 192.168.1.35 : 11768
Jan 10, 2005 05:36:27.212 - (TCP) 202.78.40.94 : 3362 >>> 192.168.1.35 : 11768
Jan 10, 2005 05:17:32.150 - (TCP) 80.55.221.50 : 4475 >>> 192.168.1.35 : 11768
Jan 10, 2005 04:55:54.875 - (TCP) 218.86.95.184 : 4081 >>> 192.168.1.35 : 11768
Jan 10, 2005 04:35:17.515 - (TCP) 80.55.221.50 : 3258 >>> 192.168.1.35 : 11768
Jan 10, 2005 03:18:09.010 - (TCP) 81.137.233.196 : 4640 >>> 192.168.1.35 : 11768
Jan 10, 2005 03:13:38.821 - (TCP) 81.215.81.108 : 1648 >>> 192.168.1.35 : 11768
Jan 10, 2005 02:31:37.716 - (TCP) 81.30.161.46 : 4106 >>> 192.168.1.35 : 11768
Jan 10, 2005 01:56:36.735 - (TCP) 69.160.84.134 : 4888 >>> 192.168.1.35 : 11768
Jan 10, 2005 01:40:31.307 - (TCP) 219.145.61.170 : 4274 >>> 192.168.1.35 : 11768
Jan 10, 2005 00:58:21.680 - (TCP) 219.145.61.170 : 39769 >>> 192.168.1.35 : 11768
Hostname Report
IP/Hostname/Port/Events/Last Event
219.145.61.170 - Not Found - 11768 2 10/01/2005 1:40:31 AM
218.86.95.184 - Not Found - 11768 1 10/01/2005 4:55:54 AM
218.86.94.43 - Not Found - 11768 1 10/01/2005 6:49:23 AM
202.78.40.94 - Not Found - 11768 2 10/01/2005 6:33:17 AM
195.178.60.146 cirus.datacom.co.yu 11768 1 10/01/2005 8:04:21 AM
194.150.76.190 ppp190.leasat.net 11768 1 10/01/2005 8:05:09 AM
193.254.218.182 gidrok.romb.net 11768 1 10/01/2005 7:16:47 AM
81.215.81.108 dsl81-215-20844.adsl.ttnet.net.tr 11768 1 10/01/2005 3:13:38 AM
81.190.106.85 host-81-190-106-85.rzeszow.mm.pl 11768 2 10/01/2005 7:27:22 AM
81.137.233.196 host81-137-233-196.in-addr.btopenworld.com 11768 1 10/01/2005 3:18:09 AM
81.30.161.46 ts2-a46.dialup.vntp.net 11768 1 10/01/2005 2:31:37 AM
80.55.221.50 xn50.internetdsl.tpnet.pl 11768 2 10/01/2005 5:17:32 AM
69.160.84.134 69-160-84-134.frdrmd.adelphia.net 11768 1 10/01/2005 1:56:36 AM
62.248.36.172 CENKCILER 11768 1 10/01/2005 8:00:28 AM
PortPeeker Captures
219.145.61.170 : 39769 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 01:07:27.417
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
219.145.61.170 : 4274 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 01:49:36.613
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
69.160.84.134 : 4888 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 02:05:44.806
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
81.30.161.46 : 4106 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 02:40:45.356
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
etc so you see its the same package and we saw it from 14 different IP Addresses last night.
Blake |
|
ElJay
join:2004-03-17
Portland, ME |
to jamesv3
I had a quite a few computers hitting me on this port a few days ago, but it seems to have died down by now. |
|
| |
Zert0n
Anon
2005-Jan-10 5:39 pm
I've been logging port activity on 11768 since January 6th and have received over 1060 probes since then. The traffic attempts to this port peeked on Jan. 8 / 05 @ 5:00am CST. and have been steadily declining since.
The activity has been coming from 1006 unique IP's but seems to have died down to 1 or 2 every hour or so.
I've also read 1 other similar incident this week with port 19388.
BTW: Link Logger is awesome Blake!
J. |
|
kpatzMY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH |
to Link Logger
I haven't seen a single scan on 11768. I'm seeing a lot of 29992 though, which is a spam proxy. I also see 17771 on occasion, which is likely also a spam proxy (note the palindromic port #s). |
|
| |
to jamesv3
Now that I've had some time to look these over here I see they are often accompanied by a scan to TCP port 445, so I'll setup another pot and see what I can capture on 445.
For example from our firewall logs thus far today I received scans from 33 different sources, however 17 of those also scanned us on TCP Port 445 and based on the timing it would appear the 11768 and 445 scan where from the same worm, for example:
Jan 10, 2005 05:17:35.625 - (TCP) 80.55.221.50 : 4497 >>> 68.144.238.148 : 445
Jan 10, 2005 05:17:32.701 - (TCP) 80.55.221.50 : 4497 >>> 68.144.238.148 : 445
Jan 10, 2005 05:17:32.150 - (TCP) 80.55.221.50 : 4475 >>> 192.168.1.35 : 11768
Jan 10, 2005 04:35:20.990 - (TCP) 80.55.221.50 : 3289 >>> 68.144.238.148 : 445
Jan 10, 2005 04:35:18.026 - (TCP) 80.55.221.50 : 3289 >>> 68.144.238.148 : 445
Jan 10, 2005 04:35:17.515 - (TCP) 80.55.221.50 : 3258 >>> 192.168.1.35 : 11768
or another example:
Jan 10, 2005 21:17:52.103 - (TCP) 67.120.78.30 : 4363 >>> 68.144.238.148 : 445
Jan 10, 2005 21:17:49.049 - (TCP) 67.120.78.30 : 4363 >>> 68.144.238.148 : 445
Jan 10, 2005 21:17:48.859 - (TCP) 67.120.78.30 : 4344 >>> 192.168.1.35 : 11768
Jan 10, 2005 20:38:45.389 - (TCP) 67.120.78.30 : 3135 >>> 68.144.238.148 : 445
Jan 10, 2005 20:38:42.395 - (TCP) 67.120.78.30 : 3135 >>> 68.144.238.148 : 445
Jan 10, 2005 20:38:42.184 - (TCP) 67.120.78.30 : 3123 >>> 192.168.1.35 : 11768
Blake |
|
mjr
Premium Member
join:2003-09-18
Bethlehem, PA |
mjr to kpatz
Premium Member
2005-Jan-11 9:04 am
to kpatz
DShield.org Screenshot |
I've been getting POUNDED on 11756 for the last 24 hours. Since I started logging (sending to dshield.org) at 10 AM yesterday until the logging ceased at 11PM last night, (13 hours), I logged 11,447 hits on this port and almost 6,000 on 445! About a hit every 3 seconds from hundreds of different IP addresses. If you look at the log report I tried to attach, some are not hitting 445 at all, and some are hitting 445 the same number of times they're hitting 11768... I believe this started early yesterday morning, but am not really sure. My internet connection is now down, and I don't know if it's because my ISP shut it down, the cable modem crashed, or the router crashed and I'm at work, so I can't diagnose it, but my router stopped e-mailing logs at about 11PM last night. I have to check it out when I get home tonight. Any additional insight would be greatly appreciated... - Mike |
|
kpatzMY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH |
kpatz
Premium Member
2005-Jan-11 9:18 am
Interesting... maybe it's a worm that spreads on 445 and opens a backdoor on 11768. It's interesting that I haven't seen any such scans, but then my ISP blocks 445 so the odds of someone on my subnet getting infected are slim, but I think I'd still see scans on 11768 from other networks. I'm sure it'll hit eventually. |
|
 jvmorrisI Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA
1 edit |
to mjr
Just out of curiosity, and looking at 065.016.161.198 and 213.249.135.036 in particular (since you show an identical number of hits on the two ports from these two IP addresses), is there any particular sequence in the events (assuming you've still got the detailed logs)?
That is, does 445 get probed and then 11768 (or vice versa)? If so, is the time interval between the two probes on the different ports fairly constant?
Also, are the probe events showing as triplets when they occur? That is, is it a group of three (or some other number) pairs of probes in a short time interval?
Just trying to get a bit better characterization of the activity than a simple raw count. |
|
mjr
Premium Member
join:2003-09-18
Bethlehem, PA |
mjr
Premium Member
2005-Jan-11 10:06 am
Here's a very short snipped of a log from last night...
Jan/10/2005 21:30:04 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445
Jan/10/2005 21:30:02 Drop TCP packet from WAN src:208.57.109.201:3366 dst:x.x.x.x:11768
Jan/10/2005 21:30:01 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445
Jan/10/2005 21:29:59 Drop TCP packet from WAN src:208.57.109.201:3366 dst:x.x.x.x:11768
Jan/10/2005 21:29:59 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768
Jan/10/2005 21:29:56 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768 |
|
| |
to jamesv3
It would appear that 11768 traffic is slowly picking up here, but we have not seen a scan from a 68.*.*.* based system so either its been slim picking around here (which I doubt based on how well other worms do), or the IP generation algorithm is weighted against local scans. When I get some more time I'll go through the pots and see what I have (likely tonight sorry). Blake |
|
jvmorrisI Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA |
to mjr
Well, that's a really short snippet, but let's take a look at xxx.yyy.zzz.214 said by mjr:Jan/10/2005 21:30:04 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445 Jan/10/2005 21:30:01 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445 Jan/10/2005 21:29:59 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768 Jan/10/2005 21:29:56 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768 That shows a doublet probe against 11768 (separated by about 3 seconds) followed about two seconds later by a similar doublet probe against 445. Pity you don't have another nine seconds or so to determine if the anticipated third probe on each port also appears. Both 11768 probes originate from port 3371, both 445 probes originate from 3568 (on that particular source box). Looks like the box is stepping along rather briskly in probing other IP addresses. You might want to check (when you get a chance) to see if that pattern repeats consistently, but I still think those two IP addresses (in my first post) are the most likely source for analysis. I wonder if MyNetWatchman has any data that might throw some light on the search pattern? |
|
| jvmorris |
to Link Logger
said by Link Logger:...either its been slim picking around here (which I doubt based on how well other worms do), or the IP generation algorithm is weighted against local scans. ... Nothing transparently obviously about the IP generation algorithm from looking at the detailed data for some of the listed source IPs at MyNetWatchman. It's difficult at this point to tell if the probes hitting 11768 only are from a different source app than those hitting both 11768 and 445 -- and that's complicated by the tendency of lots of ISPs to block 445 traffic in the first place. |
|
psloss
Premium Member
join:2002-02-24 |
to jamesv3
For what it's worth, we still haven't seen any SYN packets on tcp/11768 here on any IPs...
Still plenty of LSASS exploit activity, though, mostly driving FTP and TFTP sessions.
Philip Sloss |
|
mjr
Premium Member
join:2003-09-18
Bethlehem, PA |
to jvmorris
I have hours of log!!!! Here's 8 minutes worth (190+ hits).. Feel free to pull it into excel and manipulate it if you wish. I don't really know enough about what I'd be looking for... |
|
