Re: IRC ports open on NT4?

[m p <sumirati () yahoo de>]

Hi Philip,

i read to late that you discovered already what was going on. The port usage of
the UPS service was new to me.

I don't know if every trojan/DDoS client written at home is 'known' by public.
So i send you the link to Gibsons page about what can be done on this port.
Nothing more was meant.

And yes, computer security industry lives from giving the people a feeling of
danger. (Like selling someone an insurance ;))

Steve is fighting his private war. I'm not in the position to judge about it. I
mentioned the page only to bring the idea of this possible "trojan/DDoS attack"
to you.

Best regards,

Marc


--- "Philip J. Koenig" <pjklist () ekahuna com> schrieb: > As much as I think
Steve Gibson has done some good things, I think 
> his crusade on the denial-of-service stuff gets more self-serving by 
> the day.
>
> It's a nice tutorial for people that don't know what DoS is all about 
> (especially all those home users with broadband connections whose 
> machines often get used as zombies), but when all is said and done, 
> he profits from the hysteria he generates too.
>
> Seems to be a common topic these days in the security industry.  The 
> Register sums it up nicely by comparing it to the mafia: implicitly 
> threatening you while simultaneously charging you protection money.  
>
> The antivirus companies have been accused of this for years, and now 
> we have all the "bug hunters" who can't seem to wait 5 minutes before 
> shouting from all the rooftops about some newly-discovered 
> vulnerability.  Many of them seem only to have their own notoriety in 
> mind.
>
>
> Phil
>
> (PS: We already concluded the ports were opened by APC's PowerChute 
> UPS monitoring software.)
>
>
>
> On 24 Jul 2001, at 19:24, m p boldly uttered: 
>
> > Hi Phili,
> >
> > take a look at 
> >
> > http://grc.com/dos/grcdos.htm
> >
> > It is a nice description about new flooding networks build by various
> people on
> > the net. And how they are used.
> >
> > Just my 2 Cent
> >
> > Marc
> >
> >
> >
> >  --- "Philip J. Koenig" <pjklist () ekahuna com> schrieb: > Have some
> suspicious
> > stuff going on at a site and in my initial 
> > > investigation I went to an NT server there and typed 'netstat -an' to 
> > > see what was open, and found these curious entries:
> > >
> > > TCP       0.0.0.0:6666            0.0.0.0:0                       LISTENING
> > > TCP       0.0.0.0:6667            0.0.0.0:0                       LISTENING
> > > [...]
> > > TCP       127.0.0.1:6667          127.0.0.1:1043          ESTABLISHED
> > > TCP       127.0.0.1:6666          127.0.0.1:1043          ESTABLISHED
> > >
> > > That box runs the following services: Post.office (SMTP MTA), 
> > > Interscan Viruswall, Filemaker Pro Server, and PC Anywhere host.
> > >
> > > There is no IRC server on that box, and the Microsoft NNTP service is 
> > > not running.  Why would it be listening on IRC ports?
> > >
> > > Thanks,
> > >
> > >
> > > Phil
>
>
>
> --
> Philip J. Koenig                                       pjklist () ekahuna com
> Electric Kahuna Systems -- Computers & Communications for the New Millenium
>  

__________________________________________________________________
Do You Yahoo!?
Gesendet von Yahoo! Mail - http://mail.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards