Security Basics mailing list archives

RE: irc port open on 6668/tcp and 6667/tcp

From: Charles Hamby <fixer () gci net>
Date: Tue, 11 Feb 2003 09:47:31 -0900

I agree; my college recently had a similar problem with a Windows 2000
DC that had been compromised and had an IRC bot dropped on it.  You
might also want to check http://www.dshield.org and go to the Dshield
Reports, Subnet Reports and see if the IP address for the PDC (or for
your company if you're using NAT) is reported as a known attacker).  If
so, it indicates (with a reasonably high degree of probability) that the
server has been compromised.  In our case we were able to discover that
our server was compromised and was launching ISAKMP scans against other
networks around the country.

Charles Hamby


-----Original Message-----
From: Nelson, Ernie [mailto:Ernie.Nelson () wizards com] 
Sent: Tuesday, February 11, 2003 8:24 AM
To: Harish Gondavale; security-basics () securityfocus com
Subject: RE: irc port open on 6668/tcp and 6667/tcp

I'd grab the fport utility from http://www.foundstone.com/ and run it on
the PDC to see what process is using those open ports.

Now my question is, why these port are open on PDC? Is
there something suspicious? What should I do to find
the exact reason?

Current thread:

RE: irc port open on 6668/tcp and 6667/tcp Nelson, Ernie (Feb 11)
- RE: irc port open on 6668/tcp and 6667/tcp Charles Hamby (Feb 12)
- <Possible follow-ups>
- RE: irc port open on 6668/tcp and 6667/tcp Michael Parker (Feb 12)
- RE: irc port open on 6668/tcp and 6667/tcp Zimin, Alex (Feb 12)
- RE: irc port open on 6668/tcp and 6667/tcp Wolf, Glenn (Feb 12)
- RE: irc port open on 6668/tcp and 6667/tcp Chris Santerre (Feb 13)