[Dshield] What's up with 11784?

Jeff Kell jeff-kell at utc.edu
Sun Jun 26 00:14:12 GMT 2005


Jeff Kell wrote:
> This odd port 11784 has shown up in my top ten list the past few
> days.  Any idea what's up?  I'm out of the office and can't get a
> pcap easily right now, but if nobody else has any ideas, I'll see
> what I can find out.

I have pcaps, but nothing obvious (just SYNs hitting my tarpit).  The sources vary widely, but now each of the sources hits both ports 11784 and 17313.

DShield port data shows spikes on each, and I don't think I'm the one submitting all of them :-)

http://isc.sans.org/port_details.php?port=11784
http://isc.sans.org/port_details.php?port=17313

This is *really* weird and looks like something is afoot.

They're targeting 208/8 space (I have other sensors on other subnets that aren't showing similar traffic).

Jeff


More information about the list mailing list