Re: [fw-wiz] FW: OT? New compromise.

Victor Williams <vbwilliams@xxxxxxxxxx> wrote:

Port 1863 is the port for Microsoft's Instant Messenger client
communications. 1720 is default for later versions
these two pieces of functionality are integrated together.

It could appear to exist on Linux boxes because of any of a number of
Instant Messenger clients that come by default. I know GAIM and Kopete
are included by default with Fedora 4 and later and work with all the
major IM networks (MSN, Yahoo, ICQ, AIM).

The problem is, comments like "We've been finding it a lot when looking
at customers with spammy viruses.", "It's invisible on the local
machine" (Gaim certainly wouldn't be hiding from ps or netstat), "I
have several security sources and none of them have been able to
identify it", the ability to see it when nmap'ing from an external
host, but not from localhost, etc.

All of this struck me as exceedingly odd.

In MS systems, MSN IM client starts itself automatically unless you
specifically tell it not to. Likewise, even if you tell it not to,
loading MS Office 2003 or later will re-set it so that it starts
automatically again.

MS systems do a lot of things their users would prefer they not.

Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <>.
firewall-wizards mailing list