Re: IRC ports open on NT4?

[hermit1 <hermits () mac com>]

Both of those ports are default ports for some nasty Trojan programs, 
implying it is about time for you to reformat your disk and reinstall 
whatever programs *you* want running.  There are many web sites that 
explain the various Trojans that use these ports.  You may not be infected, 
but given the ports you name, you probably are. Take a look at other 
machines you have that might be infected and see what ports they are 
listening on, and use other methods to look for possible problems.

hermit1

At 04:58 AM 7/15/01 -0700, Philip J. Koenig wrote:
> Have some suspicious stuff going on at a site and in my initial
> investigation I went to an NT server there and typed 'netstat -an' to
> see what was open, and found these curious entries:
>
> TCP     0.0.0.0:6666            0.0.0.0:0                       LISTENING
> TCP     0.0.0.0:6667            0.0.0.0:0                       LISTENING
> [...]
> TCP     127.0.0.1:6667          127.0.0.1:1043          ESTABLISHED
> TCP     127.0.0.1:6666          127.0.0.1:1043          ESTABLISHED
>
> That box runs the following services: Post.office (SMTP MTA),
> Interscan Viruswall, Filemaker Pro Server, and PC Anywhere host.
>
> There is no IRC server on that box, and the Microsoft NNTP service is
> not running.  Why would it be listening on IRC ports?
>
> Thanks,
>
>
> Phil
>
>
>
> --
> Philip J. Koenig                                       pjklist () ekahuna com
> Electric Kahuna Systems -- Computers & Communications for the New Millenium
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards