Security Basics mailing list archives
RE: irc port open on 6668/tcp and 6667/tcp
From: Charles Hamby <fixer () gci net>
Date: Tue, 11 Feb 2003 09:47:31 -0900
I agree; my college recently had a similar problem with a Windows 2000 DC that had been compromised and had an IRC bot dropped on it. You might also want to check http://www.dshield.org and go to the Dshield Reports, Subnet Reports and see if the IP address for the PDC (or for your company if you're using NAT) is reported as a known attacker). If so, it indicates (with a reasonably high degree of probability) that the server has been compromised. In our case we were able to discover that our server was compromised and was launching ISAKMP scans against other networks around the country. Charles Hamby -----Original Message----- From: Nelson, Ernie [mailto:Ernie.Nelson () wizards com] Sent: Tuesday, February 11, 2003 8:24 AM To: Harish Gondavale; security-basics () securityfocus com Subject: RE: irc port open on 6668/tcp and 6667/tcp I'd grab the fport utility from http://www.foundstone.com/ and run it on the PDC to see what process is using those open ports.
Now my question is, why these port are open on PDC? Is there something suspicious? What should I do to find the exact reason?
Current thread:
- RE: irc port open on 6668/tcp and 6667/tcp Nelson, Ernie (Feb 11)
- RE: irc port open on 6668/tcp and 6667/tcp Charles Hamby (Feb 12)
- <Possible follow-ups>
- RE: irc port open on 6668/tcp and 6667/tcp Michael Parker (Feb 12)
- RE: irc port open on 6668/tcp and 6667/tcp Zimin, Alex (Feb 12)
- RE: irc port open on 6668/tcp and 6667/tcp Wolf, Glenn (Feb 12)
- RE: irc port open on 6668/tcp and 6667/tcp Chris Santerre (Feb 13)