Security Basics mailing list archives
Re: Possible virus?
From: Melvin Foong <melvin.foong () codebeat net>
Date: Tue, 16 Dec 2003 07:27:35 +0800
Hi,The traffic that you are seeing are going to an IRC network, called Addictz Network. Here are the output from my IRC Client. Hope this helps.
-- Welcome to the Addictz Network l33t-hax0r!myr0n@10.10.10.10You are connected to blacksheep.sf.us.addictz.net[blacksheep.sf.us.addictz.net/6667], running version LiquidIRCd-1.0(04)(shiva)
This server was created Thu Nov 20 2003 at 12:22:57 GMTblacksheep.sf.us.addictz.net LiquidIRCd-1.0(04)(shiva) oOiwscrkKnfydaAbgheFxXjzNTCW biklLmMnNoprRstvcS NOQUIT WATCH=128 SAFELIST MODES=6 MAXCHANNELS=10 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=# PREFIX=(qaohVv)!*@%=+ NETWORK=Addictz SILENCE=10 CASEMAPPING=ascii CHANMODES=b,kL,l,cimMnNOpQrRsStU are supported by this server
There are 23 users and 6477 invisible on 22 servers 36 IRC Operators online 516 channels formed I have 609 clients and 1 servers Current local users: 609 Max: 1469 Current global users: 6500 Max: 8069[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- motd was last changed at 20/11/2003 12:22 [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- Please read the motd if you haven't read it
Message of the Day, blacksheep.sf.us.addictz.net - *** This is the short motd *** End of /MOTD command.[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- This server runs an open proxy monitor to prevent abuse. [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- If you see connections on various ports from bot.addictz.net [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- please disregard them, as they are the monitor in action. [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- For more information please visit http://kline.dal.net/proxy
[07:24] * Cute-Guy78 sets mode: +iz[07:24] -Global- [Logon News - Oct 18 2003] If you haven't already done so, Please register your nick by typing /msg nickserv register password your () email com
[07:24] -opsb- Your Host is being Scanned for Open Proxies * No one in your notify list is on IRC [07:24] Local host: unknown (10.10.10.10) At 10:46 PM 12/15/2003, you wrote:
Hi all, I have been seeing a lot of strange traffic hitting my firewall and cannot get a definite as to what it actually is. Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:69.50.163.130/6667 dst outside:x.x.x.x/2363 Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:69.50.163.130/6667 dst outside:x.x.x.x/4001 Dec 13 23:00:15 fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:69.50.163.130/6667 dst outside:x.x.x.x/2423 Dec 13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny tcp src outside:68.34.60.101/6667 dst inside:x.x.x.x/1726 by access-group "outside_access_in" >From what I am seeing, it is from the same ip and src port - 6667 but going to different ip and dest ports. I have seen this activity from numerous hosts and a dig cannot find anything about them. I have seen an massive increase of this traffic over the last couple of days and can't find any conclusive evidence that it may be a virus in the wild. Has anyone else seen this type of traffic? Any information is greatly appreciated. Jenn --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Thank you. Regards, Melvin Foong Mobile : +6012-6306890 Email : melvin.foong () codebeat nethttp://www.codebeat.net - Watch out for this space !
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Possible virus? Jennifer Fountain (Dec 15)
- Re: Possible virus? DRW Customer Service (Dec 15)
- RE: Possible virus? Mike (Dec 16)
- Re: Possible virus? Melvin Foong (Dec 15)
- Re: Possible virus? Devilscrow Sr (Dec 15)
- RE: Possible virus? Joey Peloquin (Dec 15)
- <Possible follow-ups>
- Re: Possible virus? Dinesh (Dec 15)
- RE: Possible virus? Srecko Jovancevic (Dec 16)
- RE: Possible virus? Spencer D'oro (Dec 18)
- RE: Possible virus? Srecko Jovancevic (Dec 16)
- RE: Possible virus? Melvin Foong (Dec 16)
- Re: Possible virus? DRW Customer Service (Dec 15)