Firewall Wizards mailing list archives

Re: IRC ports open on NT4?

From: rob.roberson () verizon com
Date: Mon, 16 Jul 2001 08:07:01 -0400


The first thing that comes to mind about that is that maybe you've been
compromised by an IRC trojan. Not a very good one though, if it's still
listening on the default IRC port...

~Rob Roberson
SPEC - Systems Analyst
Verizon Data Services


                                                                                                                        
                       
                    pjklist@ekahu                                                                                       
                       
                    na.com               To:     firewall-wizards () nfr com                                            
                          
                                         cc:                                                                            
                       
                    07/15/2001           Subject:     [fw-wiz] IRC ports open on NT4?                                   
                       
                    07:58 AM                                                                                            
                       
                    Please                                                                                              
                       
                    respond to                                                                                          
                       
                    pjklist                                                                                             
                       
                                                                                                                        
                       
                                                                                                                        
                       




Have some suspicious stuff going on at a site and in my initial
investigation I went to an NT server there and typed 'netstat -an' to
see what was open, and found these curious entries:

TCP  0.0.0.0:6666        0.0.0.0:0            LISTENING
TCP  0.0.0.0:6667        0.0.0.0:0            LISTENING
[...]
TCP  127.0.0.1:6667      127.0.0.1:1043       ESTABLISHED
TCP  127.0.0.1:6666      127.0.0.1:1043       ESTABLISHED

That box runs the following services: Post.office (SMTP MTA),
Interscan Viruswall, Filemaker Pro Server, and PC Anywhere host.

There is no IRC server on that box, and the Microsoft NNTP service is
not running.  Why would it be listening on IRC ports?

Thanks,


Phil



--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards





_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IRC ports open on NT4?, (continued)
- Re: IRC ports open on NT4? R. DuFresne (Jul 16)
- Re: IRC ports open on NT4? hermit1 (Jul 16)
- Re: IRC ports open on NT4? Jan P Tietze (Jul 16)
  - Re: IRC ports open on NT4? Philip J. Koenig (Jul 16)
- Re: IRC ports open on NT4? bacano (Jul 17)
- Re: IRC ports open on NT4? m p (Jul 25)
  - Re: IRC ports open on NT4? Philip J. Koenig (Jul 25)
    - Re: IRC ports open on NT4? m p (Jul 25)
- Re: IRC ports open on NT4? Philip J. Koenig (Jul 16)
- Re: IRC ports open on NT4? Andrew Cogger (Jul 16)
- Re: IRC ports open on NT4? rob . roberson (Jul 16)