Security Basics mailing list archives

RE: Increase in traffic on port 20480 and 6667

From: Chris Santerre <csanterre () MerchantsOverseas com>
Date: Thu, 17 Oct 2002 14:41:30 -0400

port 6666-6668 is also used by APC UPS software to manage the UPS. This
drove me nuts until I found out :)

But your actually seeing traffic.. So my best guess is that this is IRC
related. Which doesn't mean it's not a virus or trojan! Many DDOS programs
use irc for controlling the zombies.  Clean out that 192.168.0.199 machine.
Also try using filemon from sysinternals.com on it to find out what is
running. 

Chris


-----Original Message-----
From: Kip Sr. [mailto:kipsr1 () yahoo com]
Sent: Thursday, October 10, 2002 3:16 PM
To: security-basics () securityfocus com
Subject: Increase in traffic on port 20480 and 6667


Hi there,

In the past few days, my IDS has been picking up
traffic coming from port 20480 (on Internet servers)
to port 6667 (internal desktops). Both ports are
commonly used by trojan horse programs. Has anyone
else seens this? 

10/10-11:50:01.977897 204.x.x.x:20480 ->
192.168.0.199:6667
TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:195


Thanks,
Kip Sr.

__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

Current thread:

Increase in traffic on port 20480 and 6667 Kip Sr. (Oct 15)
- Re: Increase in traffic on port 20480 and 6667 dsardina (Oct 17)
  - Re: Increase in traffic on port 20480 and 6667 Pez Mohr (Oct 17)
- <Possible follow-ups>
- Re: Increase in traffic on port 20480 and 6667 KoRe MeLtDoWn (Oct 17)
  - RE: Increase in traffic on port 20480 and 6667 Joey Teel (Oct 17)
  - Re: Increase in traffic on port 20480 and 6667 Johan De Meersman (Oct 18)
- RE: Increase in traffic on port 20480 and 6667 Trevor Cushen (Oct 17)
- RE: Increase in traffic on port 20480 and 6667 Chris Santerre (Oct 17)