RE: Weird log entries...

["Michael Ward" <Mward () roseglen com>]

The following trojans run on those ports.  

port 6666 Dark Connection Inside, NetBus worm 
port 6667 ScheduleAgent, Trinity, WinSatan 
port 6669 Host Control, Vampire 

NetBus also runs on port 6667.

Does anyone know of any new trojans that run on these ports that people
may be heavily trolling for?

-Mike
-----Original Message-----
From: Kelly Martin [mailto:kmartin () pyrzqxgl org]
Sent: Thursday, March 28, 2002 8:47 AM
To: Josh Diakun; Incidents
Subject: Re: Weird log entries...


These are attempts to connect to IRC servers via HTTP-based proxy.  It
could
be people trying to hijack your proxy server (if you had one), but it
could
also be an IRC server you are connecting to proxy-scanning you.  Many
IRC
servers now scan incoming clients for unsafe proxy servers and K-line
those
that test positive.

Kelly

----- Original Message -----
From: "Josh Diakun" <joshd () superaje com>
To: "Incidents" <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, March 28, 2002 4:06 AM
Subject: Weird log entries...


> Hello All,
>
> I was just shifting through my apache access log file and found some
weird
> entries that caught my attention.   After a quick search on the
security
focus
> mailing list archives I was unable to come up with anything...so maybe
someone
> out there could be of some help to explain to me what bug these users
are
> trying to exploit.  Here's the log entries:
>
> 216.133.249.14 - - [25/Mar/2002:03:28:09 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [25/Mar/2002:03:32:05 -0500] "CONNECT
198.186.203.27:6667
> HTTP/1.0" 401 469
> 130.228.230.161 - - [25/Mar/2002:23:20:56 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 130.228.230.161 - - [26/Mar/2002:03:30:48 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 193.109.122.5 - - [26/Mar/2002:09:46:19 -0500] "CONNECT
193.109.122.7:2048/
> HTTP/1.1" 400 344
> 217.10.143.54 - - [26/Mar/2002:16:38:40 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 66.140.25.157 - - [26/Mar/2002:16:56:07 -0500] "CONNECT
198.186.203.27:6667
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:00:49:18 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
> 217.10.143.54 - - [27/Mar/2002:02:20:27 -0500] "CONNECT
151.189.12.20:6669
> HTTP/1.0" 401 469
>
>
> And then of course there were many, many other entries of the same
sort.
I
> understand the basics of what they are trying to accomplish
(connecting to
an
> outside source through my machine...in most of these cases, and IRC
> server)...but Ive never really seen this bug, except for the multiple
hits
> over the last two/three weeks.  If someone could care to elaborate,
that
would
> be greatly appreciated.  Thanks in advance.
>
> Sincerely,
>
> Josh Diakun
> ACPO Development Team Member
> http://www.antichildporn.org
> http://www.joshd.ca
------------------------------------------------------------------------
--
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com