Re: Possible virus?

[Melvin Foong <melvin.foong () codebeat net>]

Hi,

The traffic that you are seeing are going to an IRC network, called Addictz 
Network. Here are the output from my IRC Client. Hope this helps.

--
Welcome to the Addictz Network l33t-hax0r!myr0n@10.10.10.10
You are connected to 
blacksheep.sf.us.addictz.net[blacksheep.sf.us.addictz.net/6667], running 
version LiquidIRCd-1.0(04)(shiva)
This server was created Thu Nov 20 2003 at 12:22:57 GMT
blacksheep.sf.us.addictz.net LiquidIRCd-1.0(04)(shiva) 
oOiwscrkKnfydaAbgheFxXjzNTCW biklLmMnNoprRstvcS
NOQUIT WATCH=128 SAFELIST MODES=6 MAXCHANNELS=10 MAXBANS=100 NICKLEN=30 
TOPICLEN=307 KICKLEN=307 CHANTYPES=# PREFIX=(qaohVv)!*@%=+ NETWORK=Addictz 
SILENCE=10 CASEMAPPING=ascii CHANMODES=b,kL,l,cimMnNOpQrRsStU are supported 
by this server
There are 23 users and 6477 invisible on 22 servers
36 IRC Operators online
516 channels formed
I have 609 clients and 1 servers
Current local users: 609 Max: 1469
Current global users: 6500 Max: 8069
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- motd was last changed 
at 20/11/2003 12:22
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- Please read the motd 
if you haven't read it
Message of the Day, blacksheep.sf.us.addictz.net
- *** This is the short motd ***
End of /MOTD command.
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- This server runs an 
open proxy monitor to prevent abuse.
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- If you see connections 
on various ports from bot.addictz.net
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- please disregard them, 
as they are the monitor in action.
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- For more information 
please visit http://kline.dal.net/proxy
[07:24] * Cute-Guy78 sets mode: +iz
[07:24] -Global- [Logon News - Oct 18 2003] If you haven't already done so, 
Please register your nick by typing /msg nickserv register password 
your () email com
[07:24] -opsb- Your Host is being Scanned for Open Proxies
* No one in your notify list is on IRC
[07:24] Local host: unknown (10.10.10.10)

At 10:46 PM 12/15/2003, you wrote:
> Hi all,
>
> I have been seeing a lot of strange traffic hitting my firewall and
> cannot get a definite as to what it actually is.
>
> Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny
> inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
> outside:x.x.x.x/2363
> Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55: %PIX-3-106011: Deny
> inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
> outside:x.x.x.x/4001
> Dec 13 23:00:15 fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny
> inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
> outside:x.x.x.x/2423
> Dec 13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny
> tcp src outside:68.34.60.101/6667 dst inside:x.x.x.x/1726 by
> access-group "outside_access_in"
>
> >From what I am seeing, it is from the same ip and src port - 6667 but
> going to different ip and dest ports.  I have seen this activity from
> numerous hosts and a dig cannot find anything about them.
>
> I have seen an massive increase of this traffic over the last couple of
> days and can't find any conclusive evidence that it may be a virus in
> the wild.  Has anyone else seen this type of traffic?
>
> Any information is greatly appreciated.
> Jenn
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

Thank you.


  Regards,
  Melvin Foong
  Mobile  : +6012-6306890
  Email  :  melvin.foong () codebeat net
  http://www.codebeat.net - Watch out for this space ! 


---------------------------------------------------------------------------
----------------------------------------------------------------------------