Security Basics mailing list archives
RE: Possible virus?
From: Joey Peloquin <jpelo1 () jcpenney com>
Date: Mon, 15 Dec 2003 13:32:09 -0600
Jennifer, Port 6667 is used by IRC servers and many RATs. 69.50.163.130 traces back to pyroshells.net, which hosts IRCd servers, among other services. Good luck. Joey Peloquin -----Original Message----- From: Jennifer Fountain [mailto:jfountain () rbinc com] Sent: Monday, December 15, 2003 8:47 AM To: security-basics () securityfocus com Subject: Possible virus? Hi all, I have been seeing a lot of strange traffic hitting my firewall and cannot get a definite as to what it actually is. Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:69.50.163.130/6667 dst outside:x.x.x.x/2363 Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:69.50.163.130/6667 dst outside:x.x.x.x/4001 Dec 13 23:00:15 fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:69.50.163.130/6667 dst outside:x.x.x.x/2423 Dec 13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny tcp src outside:68.34.60.101/6667 dst inside:x.x.x.x/1726 by access-group "outside_access_in"
From what I am seeing, it is from the same ip and src port - 6667 but
going to different ip and dest ports. I have seen this activity from numerous hosts and a dig cannot find anything about them. I have seen an massive increase of this traffic over the last couple of days and can't find any conclusive evidence that it may be a virus in the wild. Has anyone else seen this type of traffic? Any information is greatly appreciated. Jenn ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ----
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Possible virus? Jennifer Fountain (Dec 15)
- Re: Possible virus? DRW Customer Service (Dec 15)
- RE: Possible virus? Mike (Dec 16)
- Re: Possible virus? Melvin Foong (Dec 15)
- Re: Possible virus? Devilscrow Sr (Dec 15)
- RE: Possible virus? Joey Peloquin (Dec 15)
- <Possible follow-ups>
- Re: Possible virus? Dinesh (Dec 15)
- RE: Possible virus? Srecko Jovancevic (Dec 16)
- RE: Possible virus? Spencer D'oro (Dec 18)
- RE: Possible virus? Srecko Jovancevic (Dec 16)
- RE: Possible virus? Melvin Foong (Dec 16)
- Re: Possible virus? DRW Customer Service (Dec 15)