 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
1 edit | reply to jamesv
Re: attacks on port 11768? OK we caught some scans to TCP Port 11768 which are a little different and as such we can't say for sure what they are. This could be a key to a backdoor or it could be something totally harmless, however we think not.
edit -> add traffic events and hostname report from Link Logger.
Jan 10, 2005 08:05:09.001 - (TCP) 194.150.76.190 : 2699 >>> 192.168.1.35 : 11768
Jan 10, 2005 08:04:21.833 - (TCP) 195.178.60.146 : 62925 >>> 192.168.1.35 : 11768
Jan 10, 2005 08:00:28.087 - (TCP) 62.248.36.172 : 3162 >>> 192.168.1.35 : 11768
Jan 10, 2005 07:27:22.252 - (TCP) 81.190.106.85 : 3341 >>> 192.168.1.35 : 11768
Jan 10, 2005 07:16:47.138 - (TCP) 193.254.218.182 : 1382 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:49:23.024 - (TCP) 218.86.94.43 : 2711 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:46:01.064 - (TCP) 81.190.106.85 : 1850 >>> 192.168.1.35 : 11768
Jan 10, 2005 06:33:17.686 - (TCP) 202.78.40.94 : 4730 >>> 192.168.1.35 : 11768
Jan 10, 2005 05:36:27.212 - (TCP) 202.78.40.94 : 3362 >>> 192.168.1.35 : 11768
Jan 10, 2005 05:17:32.150 - (TCP) 80.55.221.50 : 4475 >>> 192.168.1.35 : 11768
Jan 10, 2005 04:55:54.875 - (TCP) 218.86.95.184 : 4081 >>> 192.168.1.35 : 11768
Jan 10, 2005 04:35:17.515 - (TCP) 80.55.221.50 : 3258 >>> 192.168.1.35 : 11768
Jan 10, 2005 03:18:09.010 - (TCP) 81.137.233.196 : 4640 >>> 192.168.1.35 : 11768
Jan 10, 2005 03:13:38.821 - (TCP) 81.215.81.108 : 1648 >>> 192.168.1.35 : 11768
Jan 10, 2005 02:31:37.716 - (TCP) 81.30.161.46 : 4106 >>> 192.168.1.35 : 11768
Jan 10, 2005 01:56:36.735 - (TCP) 69.160.84.134 : 4888 >>> 192.168.1.35 : 11768
Jan 10, 2005 01:40:31.307 - (TCP) 219.145.61.170 : 4274 >>> 192.168.1.35 : 11768
Jan 10, 2005 00:58:21.680 - (TCP) 219.145.61.170 : 39769 >>> 192.168.1.35 : 11768
Hostname Report
IP/Hostname/Port/Events/Last Event
219.145.61.170 - Not Found - 11768 2 10/01/2005 1:40:31 AM
218.86.95.184 - Not Found - 11768 1 10/01/2005 4:55:54 AM
218.86.94.43 - Not Found - 11768 1 10/01/2005 6:49:23 AM
202.78.40.94 - Not Found - 11768 2 10/01/2005 6:33:17 AM
195.178.60.146 cirus.datacom.co.yu 11768 1 10/01/2005 8:04:21 AM
194.150.76.190 ppp190.leasat.net 11768 1 10/01/2005 8:05:09 AM
193.254.218.182 gidrok.romb.net 11768 1 10/01/2005 7:16:47 AM
81.215.81.108 dsl81-215-20844.adsl.ttnet.net.tr 11768 1 10/01/2005 3:13:38 AM
81.190.106.85 host-81-190-106-85.rzeszow.mm.pl 11768 2 10/01/2005 7:27:22 AM
81.137.233.196 host81-137-233-196.in-addr.btopenworld.com 11768 1 10/01/2005 3:18:09 AM
81.30.161.46 ts2-a46.dialup.vntp.net 11768 1 10/01/2005 2:31:37 AM
80.55.221.50 xn50.internetdsl.tpnet.pl 11768 2 10/01/2005 5:17:32 AM
69.160.84.134 69-160-84-134.frdrmd.adelphia.net 11768 1 10/01/2005 1:56:36 AM
62.248.36.172 CENKCILER 11768 1 10/01/2005 8:00:28 AM
PortPeeker Captures
219.145.61.170 : 39769 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 01:07:27.417
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
219.145.61.170 : 4274 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 01:49:36.613
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
69.160.84.134 : 4888 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 02:05:44.806
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
81.30.161.46 : 4106 TCP Data In Length 39 bytes
MD5 = 8CCAFAC4CB8A7F1F1E2C0196B59A45E2
---- 10/01/2005 02:40:45.356
0000 5F 5F 31 32 33 5F 61 73 64 61 73 64 66 64 6A 68 __123_asdasdfdjh
0010 73 64 66 5F 53 41 46 61 73 64 66 68 6A 73 64 66 sdf_SAFasdfhjsdf
0020 5F 66 73 64 31 32 33 _fsd123
etc so you see its the same package and we saw it from 14 different IP Addresses last night.
Blake
--
Vendor: Firewall Logging Software
»www.SonicLogger.com - SonicWall and 3Com
»www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | I haven't seen a single scan on 11768. I'm seeing a lot of 29992 though, which is a spam proxy. I also see 17771 on occasion, which is likely also a spam proxy (note the palindromic port #s).
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
mjrPremium
join:2003-09-18
Bethlehem, PA | 
DShield.org Screenshot |
I believe this started early yesterday morning, but am not really sure.
My internet connection is now down, and I don't know if it's because my ISP shut it down, the cable modem crashed, or the router crashed and I'm at work, so I can't diagnose it, but my router stopped e-mailing logs at about 11PM last night. I have to check it out when I get home tonight.
Any additional insight would be greatly appreciated...
- Mike |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | Interesting... maybe it's a worm that spreads on 445 and opens a backdoor on 11768. It's interesting that I haven't seen any such scans, but then my ISP blocks 445 so the odds of someone on my subnet getting infected are slim, but I think I'd still see scans on 11768 from other networks. I'm sure it'll hit eventually.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
|
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA
1 edit | reply to mjr
Just out of curiosity, and looking at 065.016.161.198 and 213.249.135.036 in particular (since you show an identical number of hits on the two ports from these two IP addresses), is there any particular sequence in the events (assuming you've still got the detailed logs)?
That is, does 445 get probed and then 11768 (or vice versa)? If so, is the time interval between the two probes on the different ports fairly constant?
Also, are the probe events showing as triplets when they occur? That is, is it a group of three (or some other number) pairs of probes in a short time interval?
Just trying to get a bit better characterization of the activity than a simple raw count.
--
Regards,
Joseph V. Morris |
|
mjrPremium
join:2003-09-18
Bethlehem, PA | Here's a very short snipped of a log from last night...
Jan/10/2005 21:30:04 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445
Jan/10/2005 21:30:02 Drop TCP packet from WAN src:208.57.109.201:3366 dst:x.x.x.x:11768
Jan/10/2005 21:30:01 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445
Jan/10/2005 21:29:59 Drop TCP packet from WAN src:208.57.109.201:3366 dst:x.x.x.x:11768
Jan/10/2005 21:29:59 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768
Jan/10/2005 21:29:56 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768 |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | Well, that's a really short snippet, but let's take a look at xxx.yyy.zzz.214
said by mjr:Jan/10/2005 21:30:04 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445 Jan/10/2005 21:30:01 Drop TCP packet from WAN src:209.179.194.214:3568 dst:x.x.x.x:445 Jan/10/2005 21:29:59 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768 Jan/10/2005 21:29:56 Drop TCP packet from WAN src:209.179.194.214:3371 dst:x.x.x.x:11768 That shows a doublet probe against 11768 (separated by about 3 seconds) followed about two seconds later by a similar doublet probe against 445.
Pity you don't have another nine seconds or so to determine if the anticipated third probe on each port also appears. Both 11768 probes originate from port 3371, both 445 probes originate from 3568 (on that particular source box). Looks like the box is stepping along rather briskly in probing other IP addresses.
You might want to check (when you get a chance) to see if that pattern repeats consistently, but I still think those two IP addresses (in my first post) are the most likely source for analysis.
I wonder if MyNetWatchman has any data that might throw some light on the search pattern?
--
Regards, Joseph V. Morris |
|
mjrPremium
join:2003-09-18
Bethlehem, PA | I have hours of log!!!!
Here's 8 minutes worth (190+ hits).. Feel free to pull it into excel and manipulate it if you wish. I don't really know enough about what I'd be looking for... |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by mjr:I have hours of log!!!! I'm sure you do! 
Don't throw anything away just yet. I was just looking at the snippets that Blake posted (before your post) and noticed that the whole scan process (at least for him) seems to be cycling about every 40 minutes. That is, the same source IP might tend to show up about every 40 minutes or so with a new set of probes.
Little sucker may have a flawed algorithm to randomly generate new IP addresses to probe. That could also explain why some people see a lot of it (like you) and other people aren't seeing anything.
Here's 8 minutes worth (190+ hits).. Feel free to pull it into excel and manipulate it if you wish. I don't really know enough about what I'd be looking for...
Thanks. I'll take a look at that.
--
Regards, Joseph V. Morris |
|
