bsdjunkie
January 12th, 2005, 13:26
Anyone else seeing these? They started appearing a few days ago on my home network, and they are started being picked up on the security mailing lists. So far there is not much info. It appears that each host will try twice to connect to port 11768 with a .03 second delay.


11:03:05.568843 213.238.92.110.3221 > myhost.11768: S [tcp sum ok] 455745355:455745355(0) win 16384 <mss 1452,nop,nop,sackOK> (DF) (ttl 111, id 62556)
11:03:06.496331 200.141.247.14.4036 > myhost.11768: S [tcp sum ok] 1610221191:1610221191(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) (ttl 112, id 49014)
11:03:07.990547 213.238.92.110.3221 > myhost.11768: S [tcp sum ok] 455745355:455745355(0) win 16384 <mss 1452,nop,nop,sackOK> (DF) (ttl 111, id 63013)
11:03:09.513824 200.141.247.14.4036 > myhost.11768: S [tcp sum ok] 1610221191:1610221191(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) (ttl 112, id 49267)
11:10:25.036756 65.100.160.247.3222 > myhost.11768: S [tcp sum ok] 2584643960:2584643960(0) win 65535 <mss 1408,nop,nop,sackOK> (DF) (ttl 110, id 61238)
11:10:27.950594 65.100.160.247.3222 > myhost.11768: S [tcp sum ok] 2584643960:2584643960(0) win 65535 <mss 1408,nop,nop,sackOK> (DF) (ttl 110, id 61455)
11:33:25.746199 68.164.206.67.63886 > myhost.11768: S [tcp sum ok] 2970772380:2970772380(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 24369)
11:33:28.933920 68.164.206.67.63886 > myhost.11768: S [tcp sum ok] 2970772380:2970772380(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 24656)
11:38:47.541472 24.153.118.44.3958 > myhost.11768: S [tcp sum ok] 1689781790:1689781790(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 109, id 21775)
11:38:50.500785 24.153.118.44.3958 > myhost.11768: S [tcp sum ok] 1689781790:1689781790(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 109, id 22303)
11:40:58.263428 195.10.125.153.4695 > myhost.11768: S [tcp sum ok] 4024411655:4024411655(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) (ttl 111, id 59579)
11:56:09.387506 217.161.51.196.21612 > myhost.11768: S [tcp sum ok] 1171517717:1171517717(0) win 65535 <mss 1380,nop,nop,sackOK> (DF) (ttl 112, id 34676)
11:56:12.402086 217.161.51.196.21612 > myhost.11768: S [tcp sum ok] 1171517717:1171517717(0) win 65535 <mss 1380,nop,nop,sackOK> (DF) (ttl 112, id 34911)

bmw
January 12th, 2005, 14:28
I'm seeing those too. A tiny trickle on Jan 5 through 9 (one or two probes/day), then a flood from Jan 10 to now. But I'm seeing some probes of three at a time as well as just two. Mostly coming from DSL & cable links.

So nobody knows what service this is attempting to find? Is it maybe linked to a recent trojan?

bsdjunkie
January 12th, 2005, 15:16
I just read on a post that it may be worm related, but this guy had heard it 2nd hand from another source. So no idea yet.

socomm
January 12th, 2005, 16:43
http://www.viruslist.com/en/weblog?weblogid=157621323

bsdjunkie
January 12th, 2005, 16:55
ah, shoulda checked there today,. was reading F-Secures, but didnt look up viruslist yet this afternoon :P

http://www.f-secure.com/weblog/

bsdjunkie
January 13th, 2005, 13:31
in case anyone is interested lurhq released a writeup on it

http://www.lurhq.com/dipnet.html