Security Incidents mailing list archives
RE: DDoS to microsoft sites
From: Dave Ockwell-Jenner <doj () silk solar-nexus com>
Date: Wed, 30 Jan 2002 14:27:39 -0500 (EST)
6667 may also be used by some APC UPS daemons common on some Windows systems. May want to try and simulate an IRC connect via telnet to see if it responds like an IRC server would. -- Dave Ockwell-Jenner On Wed, 30 Jan 2002, Adcock, Matt wrote:
I believe both tcp/6667 and tcp/6668 are both used for IRC. It would make sense that these are network aware. I know other IMs are. Matt -----Original Message----- From: Mike Lewinski [mailto:mike () rockynet com] We were able to get a port scan of the other client's infected box, and it too was running IIS and MS-SQL. However, in addition it also had tcp 6667/6668 open. Ironically, this same client's server was running Linux two years ago, and intruders installed an eggdrop bot there. I believe that incident (which totaled their machine before any data recovery was possible) caused them to look to a Microsoft solution.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DDoS to microsoft sites Mike Lewinski (Jan 29)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)
- Re: DDoS to microsoft sites Mike Lewinski (Jan 30)
- Re: DDoS to microsoft sites Hugo van der Kooij (Jan 30)
- <Possible follow-ups>
- RE: DDoS to microsoft sites John Campbell (Jan 30)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites H C (Jan 30)
- RE: DDoS to microsoft sites Jason Robertson (Jan 31)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites Dave Ockwell-Jenner (Jan 30)
- Re: Re: DDoS to microsoft sites Mike Lewinski (Jan 31)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)