cancel
Showing results for 
Search instead for 
Did you mean: 

Port 11768?

criddle
Newbie
Posts: 9
Registered: 06-10-2007

Port 11768?

Since yesterday, I'm suddenly seeing masses of port connection attempts on port 11768 from lots of different IP addresses. I suspect the addresses may be spoofed. My firewall is happily ignoring these, but they are filling my firewall logs up more than I would like.

Anybody have any idea what this is about? I've done some Googling and it appears to be very new. Most of the stuff I've read so far seems to be people asking if anybody knows what it is.
4 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Port 11768?

Various other places / forums are reporting an increase of scans on that port but what is doing it is, as yet unknown.
N/A

Port 11768?

Note seen what it is but the port is something to do with SQL and reports indicate it may be connected to the PHP worm seen in December..

I'll let you know if I get any further information

Dave
criddle
Newbie
Posts: 9
Registered: 06-10-2007

Port 11768?

Yesterday seemed to be the peak. I have emailed a log sample to abuse@plus.net. I'm pretty sure the source IP address is spoofed. I've read reports elsewhere that there is a correlation between these and connections attempts on port 445, but I've only seeing a handful. If the addresses are being spoofed, any correlation might just be coincidence.

Over the past few days I've seen:

8 Jan - 0 attempts
9 Jan - 2789 attempts from 1238 different addresses
10 Jan - 21759 attempts from 4415 different addresses
11 Jan - 9306 attempts from 2202 different addresses
(11th's log only goes to 7pm so far)
N/A

Port 11768?

A virus that opens a backdoor on 11768 and spreads via 445.

The virus is a modification of Net-Worm.Win32.DipNet (Net-Worm.Win32.DipNet.d). Howewer, it seems that the previous modifications of the virus didn't listen on port 11768.

DipNet.a infects computers running under Windows. The worm itself is a Windows PE EXE file approximately 154KB in size, packed using UPX. The unpacked file is approximately 314KB in size.

The worm propagates by exploiting a vulnerability in Windows LSASS. This vulnerability is described in Microsoft Security Bulletin MS04-011

Dave