RE: irc port open on 6668/tcp and 6667/tcp

• Previous message: Jack Furman: "RE: workgroup"
• In reply to: Nelson, Ernie: "RE: irc port open on 6668/tcp and 6667/tcp"
• Next in thread: Michael Parker: "RE: irc port open on 6668/tcp and 6667/tcp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 11 Feb 2003 09:47:31 -0900
From: Charles Hamby <fixer@gci.net>
To: security-basics@securityfocus.com

I agree; my college recently had a similar problem with a Windows 2000
DC that had been compromised and had an IRC bot dropped on it. You
might also want to check http://www.dshield.org and go to the Dshield
Reports, Subnet Reports and see if the IP address for the PDC (or for
your company if you're using NAT) is reported as a known attacker). If
so, it indicates (with a reasonably high degree of probability) that the
server has been compromised. In our case we were able to discover that
our server was compromised and was launching ISAKMP scans against other
networks around the country.

Charles Hamby

-----Original Message-----
From: Nelson, Ernie [mailto:Ernie.Nelson@wizards.com]
Sent: Tuesday, February 11, 2003 8:24 AM
To: Harish Gondavale; security-basics@securityfocus.com
Subject: RE: irc port open on 6668/tcp and 6667/tcp

I'd grab the fport utility from http://www.foundstone.com/ and run it on
the PDC to see what process is using those open ports.

> Now my question is, why these port are open on PDC? Is
> there something suspicious? What should I do to find
> the exact reason?

• Next message: David Verty: "RE: Suggestions on free XP hard drive wiping utilities?"
• Previous message: Jack Furman: "RE: workgroup"
• In reply to: Nelson, Ernie: "RE: irc port open on 6668/tcp and 6667/tcp"
• Next in thread: Michael Parker: "RE: irc port open on 6668/tcp and 6667/tcp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]