[Dshield] port 11768

jayjwa jayjwa at atr2.ath.cx
Wed Jan 12 15:10:21 GMT 2005


On Tue, 11 Jan 2005, Henry Hertz Hobbit wrote:

+ Date: Tue, 11 Jan 2005 14:01:16 -0700
+ From: Henry Hertz Hobbit <hhhobbit at comcast.net>
+ Reply-To: General DShield Discussion List <list at lists.dshield.org>
+ To: list at lists.dshield.org
+ Subject: [Dshield] port 11768
+ 
+ What is up with this port?  Nobody seems to have anything on
+ it anywhere, yet the majority of things bouncing off my WAN
+ port are now directed at 11768.  If it were a worm it seems
+ like Symantec or somebody would know about it.  So far I
+ can't seem to find any reference to it.
+ 
+ I get 1-4 packets per IP, with the average being 2.  Since
+ it is an unassigned port I am rather reluctant to ask about
+ it.  It may just be an anomaly that only I am seeing.


That's some anomaly. Nothing conclusive on the web, and nothing worth 
recording so far. Most of the sites hitting here themselves have their 
port 11768 open, but I can't make it give up any response. It'll take 
about 10-50 or so bytes, then shutdown, open again in a minute. It 
reminded me of a authenticated backdoor.

cat firewall| grep Probe | awk -F' ' '{ print $1,$2,$3,$4,$5,$6,$11}' > 
/tmp/11768-scans.log

Jan 11 03:12:36 atr2 kernel: 11768 SRC=217.9.2.72
Jan 11 03:12:39 atr2 kernel: 11768 SRC=217.9.2.72
Jan 11 03:33:50 atr2 kernel: 11768 SRC=195.161.253.178
Jan 11 03:33:53 atr2 kernel: 11768 SRC=195.161.253.178
Jan 11 05:02:51 atr2 kernel: 11768 SRC=163.121.145.62
Jan 11 05:02:54 atr2 kernel: 11768 SRC=163.121.145.62
Jan 11 05:32:26 atr2 kernel: 11768 SRC=217.94.184.199
Jan 11 05:32:29 atr2 kernel: 11768 SRC=217.94.184.199
Jan 11 06:26:20 atr2 kernel: 11768 SRC=83.36.100.85
Jan 11 06:26:23 atr2 kernel: 11768 SRC=83.36.100.85
Jan 11 07:03:43 atr2 kernel: 11768 SRC=194.102.93.111
Jan 11 07:03:46 atr2 kernel: 11768 SRC=194.102.93.111
Jan 11 07:11:52 atr2 kernel: 11768 SRC=83.36.100.85
Jan 11 07:11:55 atr2 kernel: 11768 SRC=83.36.100.85
Jan 11 07:13:35 atr2 kernel: 11768 SRC=193.140.222.71
Jan 11 07:13:35 atr2 kernel: 11768 SRC=193.140.222.71
Jan 11 07:34:30 atr2 kernel: 11768 SRC=222.248.37.184
Jan 11 07:34:33 atr2 kernel: 11768 SRC=222.248.37.184
Jan 11 07:34:39 atr2 kernel: 11768 SRC=222.248.37.184
Jan 11 07:57:06 atr2 kernel: 11768 SRC=193.140.222.71
Jan 11 07:57:09 atr2 kernel: 11768 SRC=193.140.222.71
Jan 11 07:57:30 atr2 kernel: 11768 SRC=216.43.214.200
Jan 11 07:57:33 atr2 kernel: 11768 SRC=216.43.214.200
Jan 11 08:17:14 atr2 kernel: 11768 SRC=213.163.20.231
Jan 11 08:17:17 atr2 kernel: 11768 SRC=213.163.20.231
Jan 11 09:27:49 atr2 kernel: 11768 SRC=212.76.48.63
Jan 11 09:27:52 atr2 kernel: 11768 SRC=212.76.48.63
Jan 11 10:09:52 atr2 kernel: 11768 SRC=212.76.48.63
Jan 11 10:09:55 atr2 kernel: 11768 SRC=212.76.48.63
Jan 11 10:29:21 atr2 kernel: 11768 SRC=62.65.180.5
Jan 11 10:29:24 atr2 kernel: 11768 SRC=62.65.180.5
Jan 11 10:42:24 atr2 kernel: 11768 SRC=202.188.53.41
Jan 11 10:42:26 atr2 kernel: 11768 SRC=202.188.53.41
Jan 11 11:00:12 atr2 kernel: 11768 SRC=194.108.85.151
Jan 11 11:00:15 atr2 kernel: 11768 SRC=194.108.85.151
Jan 11 11:33:55 atr2 kernel: 11768 SRC=68.85.70.147
Jan 11 11:33:58 atr2 kernel: 11768 SRC=68.85.70.147
Jan 11 12:13:15 atr2 kernel: 11768 SRC=62.233.145.2
Jan 11 12:13:18 atr2 kernel: 11768 SRC=62.233.145.2
Jan 11 12:56:06 atr2 kernel: 11768 SRC=82.207.73.69
Jan 11 13:12:19 atr2 kernel: 11768 SRC=69.15.111.114
Jan 11 13:12:22 atr2 kernel: 11768 SRC=69.15.111.114
Jan 11 13:48:38 atr2 kernel: 11768 SRC=62.233.145.2
Jan 11 13:48:41 atr2 kernel: 11768 SRC=62.233.145.2
Jan 11 13:50:41 atr2 kernel: 11768 SRC=69.15.111.114
Jan 11 13:50:44 atr2 kernel: 11768 SRC=69.15.111.114
Jan 11 13:53:54 atr2 kernel: 11768 SRC=203.130.13.60
Jan 11 13:53:57 atr2 kernel: 11768 SRC=203.130.13.60
Jan 11 14:24:02 atr2 kernel: 11768 SRC=81.20.98.83
Jan 11 14:24:07 atr2 kernel: 11768 SRC=81.20.98.83
Jan 11 14:54:19 atr2 kernel: 11768 SRC=213.151.211.182
Jan 11 14:54:21 atr2 kernel: 11768 SRC=213.151.211.182
Jan 11 15:31:44 atr2 kernel: 11768 SRC=68.85.70.147
Jan 11 15:31:48 atr2 kernel: 11768 SRC=68.85.70.147
Jan 11 15:43:34 atr2 kernel: 11768 SRC=62.21.80.252
Jan 11 15:43:36 atr2 kernel: 11768 SRC=62.21.80.252
Jan 11 16:30:17 atr2 kernel: 11768 SRC=81.158.105.97
Jan 11 16:30:20 atr2 kernel: 11768 SRC=81.158.105.97
Jan 11 17:07:01 atr2 kernel: 11768 SRC=65.165.85.55
Jan 11 17:07:03 atr2 kernel: 11768 SRC=65.165.85.55
Jan 11 17:25:06 atr2 kernel: 11768 SRC=80.88.122.245
Jan 11 17:25:09 atr2 kernel: 11768 SRC=80.88.122.245
Jan 11 17:35:46 atr2 kernel: 11768 SRC=83.29.35.178
Jan 11 17:35:49 atr2 kernel: 11768 SRC=83.29.35.178
Jan 11 17:44:38 atr2 kernel: 11768 SRC=151.197.219.62
Jan 11 17:49:28 atr2 kernel: 11768 SRC=4.27.40.214
Jan 11 17:49:31 atr2 kernel: 11768 SRC=4.27.40.214
Jan 11 18:03:46 atr2 kernel: 11768 SRC=24.214.79.11
Jan 11 18:03:49 atr2 kernel: 11768 SRC=24.214.79.11
Jan 11 18:19:09 atr2 kernel: 11768 SRC=144.136.188.102
Jan 11 18:19:12 atr2 kernel: 11768 SRC=144.136.188.102
Jan 11 18:36:48 atr2 kernel: 11768 SRC=68.150.65.229
Jan 11 18:36:50 atr2 kernel: 11768 SRC=68.150.65.229
Jan 11 18:43:46 atr2 kernel: 11768 SRC=24.214.79.11
Jan 11 18:43:49 atr2 kernel: 11768 SRC=24.214.79.11
Jan 11 18:52:00 atr2 kernel: 11768 SRC=67.140.254.36
Jan 11 18:52:03 atr2 kernel: 11768 SRC=67.140.254.36
Jan 11 19:47:19 atr2 kernel: 11768 SRC=218.79.81.248
Jan 11 19:47:22 atr2 kernel: 11768 SRC=218.79.81.248
Jan 11 19:49:36 atr2 kernel: 11768 SRC=83.103.200.82
Jan 11 20:25:18 atr2 kernel: 11768 SRC=64.72.33.217
Jan 11 20:25:21 atr2 kernel: 11768 SRC=64.72.33.217
Jan 11 20:39:42 atr2 kernel: 11768 SRC=203.220.117.226
Jan 11 20:39:45 atr2 kernel: 11768 SRC=203.220.117.226
Jan 11 20:49:56 atr2 kernel: 11768 SRC=70.65.21.17
Jan 11 21:01:55 atr2 kernel: 11768 SRC=64.72.33.217
Jan 11 21:01:58 atr2 kernel: 11768 SRC=64.72.33.217
Jan 11 21:07:37 atr2 kernel: 11768 SRC=201.128.232.138
Jan 11 21:07:39 atr2 kernel: 11768 SRC=201.128.232.138
Jan 11 21:07:42 atr2 kernel: 11768 SRC=201.128.232.138
Jan 12 00:36:04 atr2 kernel: 11768 SRC=202.155.45.46
Jan 12 00:36:07 atr2 kernel: 11768 SRC=202.155.45.46
Jan 12 01:09:01 atr2 kernel: 11768 SRC=68.148.194.179
Jan 12 01:09:06 atr2 kernel: 11768 SRC=68.148.194.179
Jan 12 01:09:22 atr2 kernel: 11768 SRC=68.148.194.179
Jan 12 02:10:06 atr2 kernel: 11768 SRC=208.1.85.188
Jan 12 02:10:08 atr2 kernel: 11768 SRC=208.1.85.188
Jan 12 02:39:59 atr2 kernel: 11768 SRC=203.215.112.44
Jan 12 02:40:02 atr2 kernel: 11768 SRC=203.215.112.44
Jan 12 02:59:16 atr2 kernel: 11768 SRC=65.37.52.215
Jan 12 02:59:19 atr2 kernel: 11768 SRC=65.37.52.215
Jan 12 03:15:05 atr2 kernel: 11768 SRC=83.238.4.98
Jan 12 03:15:08 atr2 kernel: 11768 SRC=83.238.4.98
Jan 12 03:15:14 atr2 kernel: 11768 SRC=83.238.4.98
Jan 12 04:02:11 atr2 kernel: 11768 SRC=81.136.190.107
Jan 12 04:02:13 atr2 kernel: 11768 SRC=81.136.190.107
Jan 12 04:25:14 atr2 kernel: 11768 SRC=85.97.189.230
Jan 12 05:03:55 atr2 kernel: 11768 SRC=194.145.131.42
Jan 12 05:03:59 atr2 kernel: 11768 SRC=194.145.131.42
Jan 12 05:22:45 atr2 kernel: 11768 SRC=203.215.99.224
Jan 12 05:22:48 atr2 kernel: 11768 SRC=203.215.99.224
Jan 12 05:57:09 atr2 kernel: 11768 SRC=213.197.71.116
Jan 12 05:57:12 atr2 kernel: 11768 SRC=213.197.71.116
Jan 12 06:04:13 atr2 kernel: 11768 SRC=209.158.85.174
Jan 12 06:04:16 atr2 kernel: 11768 SRC=209.158.85.174
Jan 12 06:52:32 atr2 kernel: 11768 SRC=203.122.3.111
Jan 12 06:52:35 atr2 kernel: 11768 SRC=203.122.3.111
Jan 12 09:41:21 atr2 kernel: 11768 SRC=212.70.227.2
Jan 12 09:41:24 atr2 kernel: 11768 SRC=212.70.227.2
Jan 12 09:51:57 atr2 kernel: 11768 SRC=210.213.95.45


What is doing it, it's likely the same thing, indicating something that is 
getting around, either an exploit or a virus. Notice they almost always 
come two-by-two per IP, with rare exception.


--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++



More information about the list mailing list