Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Possible virus?

From: Joey Peloquin <jpelo1 () jcpenney com>
Date: Mon, 15 Dec 2003 13:32:09 -0600
Jennifer,

Port 6667 is used by IRC servers and many RATs.  69.50.163.130 traces
back to pyroshells.net, which hosts IRCd servers, among other services.

Good luck.

Joey Peloquin


-----Original Message-----
From: Jennifer Fountain [mailto:jfountain () rbinc com] 
Sent: Monday, December 15, 2003 8:47 AM
To: security-basics () securityfocus com
Subject: Possible virus?


Hi all,

I have been seeing a lot of strange traffic hitting my firewall and
cannot get a definite as to what it actually is.

Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
outside:x.x.x.x/2363 Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55:
%PIX-3-106011: Deny inbound (No xlate) tcp src
outside:69.50.163.130/6667 dst outside:x.x.x.x/4001 Dec 13 23:00:15
fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny inbound (No
xlate) tcp src outside:69.50.163.130/6667 dst outside:x.x.x.x/2423 Dec
13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny tcp
src outside:68.34.60.101/6667 dst inside:x.x.x.x/1726 by access-group
"outside_access_in"


From what I am seeing, it is from the same ip and src port - 6667 but

going to different ip and dest ports.  I have seen this activity from
numerous hosts and a dig cannot find anything about them.

I have seen an massive increase of this traffic over the last couple of
days and can't find any conclusive evidence that it may be a virus in
the wild.  Has anyone else seen this type of traffic?

Any information is greatly appreciated.
Jenn

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited.   If you are not the intended
recipient, please contact the sender and delete the material from any
computer.


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: