Security Basics mailing list archives
RE: Increase in traffic on port 20480 and 6667
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Thu, 17 Oct 2002 14:22:53 +0100
If it is a Windows machine use fport to see what EXE is opening the port. If it is Unix the lsof will do the same job. http://www.foundstone.com/knowledge/intrusion_detection.html Note the port and file monitors which might be useful in your investigation?!? http://freshmeat.net/projects/lsof Hope this helps Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: dsardina [mailto:dsardina () si rr com] Sent: 15 October 2002 21:41 To: Kip Sr.; security-basics () securityfocus com Subject: Re: Increase in traffic on port 20480 and 6667 I dont know much about port 20480, but 6667 is an attempt to connect to a mIRC Server. I dont know if 192.168.0.199 is a router IP or a pc, but if its a pc, check to see if that pc has any IRC Server Software is installed. (6667) is default port for a irc server.// Just my 2 cents Good Luck~ DS- ----- Original Message ----- From: "Kip Sr." <kipsr1 () yahoo com> To: <security-basics () securityfocus com> Sent: Thursday, October 10, 2002 3:16 PM Subject: Increase in traffic on port 20480 and 6667
Hi there, In the past few days, my IDS has been picking up traffic coming from port 20480 (on Internet servers) to port 6667 (internal desktops). Both ports are commonly used by trojan horse programs. Has anyone else seens this? 10/10-11:50:01.977897 204.x.x.x:20480 -> 192.168.0.199:6667 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:195 Thanks, Kip Sr. __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com
************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie **************************************************************************************
Current thread:
- Increase in traffic on port 20480 and 6667 Kip Sr. (Oct 15)
- Re: Increase in traffic on port 20480 and 6667 dsardina (Oct 17)
- Re: Increase in traffic on port 20480 and 6667 Pez Mohr (Oct 17)
- <Possible follow-ups>
- Re: Increase in traffic on port 20480 and 6667 KoRe MeLtDoWn (Oct 17)
- RE: Increase in traffic on port 20480 and 6667 Joey Teel (Oct 17)
- Re: Increase in traffic on port 20480 and 6667 Johan De Meersman (Oct 18)
- RE: Increase in traffic on port 20480 and 6667 Trevor Cushen (Oct 17)
- RE: Increase in traffic on port 20480 and 6667 Chris Santerre (Oct 17)
- Re: Increase in traffic on port 20480 and 6667 dsardina (Oct 17)