[Dshield] port 11768
jstewart at lurhq.com
Thu Jan 13 16:21:46 GMT 2005
On Wednesday 12 January 2005 12:39 pm, Esler, Joel - Contractor wrote:
> Apparently it's worm related. Dipnet or oddbob... The .d variant...
> I got this information from a third party so...
This is indeed the case. It is an LSASS-exploiting worm which spreads an
IRC bot. Nothing new being exploited here. The port 11768 traffic is so
the bot can detect if a host is already infected, and if so, with what
version. The traffic should be moving to port 15118 next.
I've posted a brief analysis of it here:
Joe Stewart, GCIH
Senior Security Researcher
More information about the list