Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IRC ports open on NT4?

From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Mon, 16 Jul 2001 05:01:19 -0700
Thanks for everyone's suggestions - as Andrew and Jan suggested, 
those ports were indeed associated with APC Powerchute.

I also discovered the "Simple TCP/IP" service running and disabled 
it, removing a bunch of other open ports that served no particular 
purpose.

There is still something slightly strange going on, in this case some 
port 80 scans to another box, I'm going to post a separate query on 
that.


Phil



From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Sun, 15 Jul 2001 04:58:12 -0700

Have some suspicious stuff going on at a site and in my initial 
investigation I went to an NT server there and typed 'netstat -an' to 
see what was open, and found these curious entries:

TCP   0.0.0.0:6666            0.0.0.0:0                       LISTENING
TCP   0.0.0.0:6667            0.0.0.0:0                       LISTENING
[...]
TCP   127.0.0.1:6667          127.0.0.1:1043          ESTABLISHED
TCP   127.0.0.1:6666          127.0.0.1:1043          ESTABLISHED

That box runs the following services: Post.office (SMTP MTA), 
Interscan Viruswall, Filemaker Pro Server, and PC Anywhere host.

There is no IRC server on that box, and the Microsoft NNTP service is 
not running.  Why would it be listening on IRC ports?




--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: