Home page logo
/

basics logo Security Basics mailing list archives

Re: Possible virus?
From: DRW Customer Service <support () drw net>
Date: Mon, 15 Dec 2003 14:26:18 -0500


Jennifer,

Could be an Eggdrop script running on one of your servers that is causing this traffic.
Port 6667 is used for IRC (Internet Relay Chat).

Looks like it is on the box with the IP 69.50.163.130
Check the running processes on the box and look for anomalies.

Dinesh


****

At 09:46 AM 12/15/03 -0500, Jennifer Fountain wrote:
Hi all,

I have been seeing a lot of strange traffic hitting my firewall and
cannot get a definite as to what it actually is.

Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
outside:x.x.x.x/2363
Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
outside:x.x.x.x/4001
Dec 13 23:00:15 fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
outside:x.x.x.x/2423
Dec 13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny
tcp src outside:68.34.60.101/6667 dst inside:x.x.x.x/1726 by
access-group "outside_access_in"

>From what I am seeing, it is from the same ip and src port - 6667 but
going to different ip and dest ports.  I have seen this activity from
numerous hosts and a dig cannot find anything about them.

I have seen an massive increase of this traffic over the last couple of
days and can't find any conclusive evidence that it may be a virus in
the wild.  Has anyone else seen this type of traffic?

Any information is greatly appreciated.
Jenn

---------------------------------------------------------------------------
----------------------------------------------------------------------------








---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault