Home page logo
/

basics logo Security Basics mailing list archives

Re: Possible virus?
From: Melvin Foong <melvin.foong () codebeat net>
Date: Tue, 16 Dec 2003 07:27:35 +0800

Hi,

The traffic that you are seeing are going to an IRC network, called Addictz Network. Here are the output from my IRC Client. Hope this helps.

--
Welcome to the Addictz Network l33t-hax0r!myr0n () 10 10 10 10
You are connected to blacksheep.sf.us.addictz.net[blacksheep.sf.us.addictz.net/6667], running version LiquidIRCd-1.0(04)(shiva)
This server was created Thu Nov 20 2003 at 12:22:57 GMT
blacksheep.sf.us.addictz.net LiquidIRCd-1.0(04)(shiva) oOiwscrkKnfydaAbgheFxXjzNTCW biklLmMnNoprRstvcS NOQUIT WATCH=128 SAFELIST MODES=6 MAXCHANNELS=10 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=# PREFIX=(qaohVv)!* () %=+ NETWORK=Addictz SILENCE=10 CASEMAPPING=ascii CHANMODES=b,kL,l,cimMnNOpQrRsStU are supported by this server
There are 23 users and 6477 invisible on 22 servers
36 IRC Operators online
516 channels formed
I have 609 clients and 1 servers
Current local users: 609 Max: 1469
Current global users: 6500 Max: 8069
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- motd was last changed at 20/11/2003 12:22 [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- Please read the motd if you haven't read it
Message of the Day, blacksheep.sf.us.addictz.net
- *** This is the short motd ***
End of /MOTD command.
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- This server runs an open proxy monitor to prevent abuse. [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- If you see connections on various ports from bot.addictz.net [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- please disregard them, as they are the monitor in action. [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- For more information please visit http://kline.dal.net/proxy
[07:24] * Cute-Guy78 sets mode: +iz
[07:24] -Global- [Logon News - Oct 18 2003] If you haven't already done so, Please register your nick by typing /msg nickserv register password your () email com
[07:24] -opsb- Your Host is being Scanned for Open Proxies
* No one in your notify list is on IRC
[07:24] Local host: unknown (10.10.10.10)

At 10:46 PM 12/15/2003, you wrote:
Hi all,

I have been seeing a lot of strange traffic hitting my firewall and
cannot get a definite as to what it actually is.

Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
outside:x.x.x.x/2363
Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
outside:x.x.x.x/4001
Dec 13 23:00:15 fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
outside:x.x.x.x/2423
Dec 13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny
tcp src outside:68.34.60.101/6667 dst inside:x.x.x.x/1726 by
access-group "outside_access_in"

>From what I am seeing, it is from the same ip and src port - 6667 but
going to different ip and dest ports.  I have seen this activity from
numerous hosts and a dig cannot find anything about them.

I have seen an massive increase of this traffic over the last couple of
days and can't find any conclusive evidence that it may be a virus in
the wild.  Has anyone else seen this type of traffic?

Any information is greatly appreciated.
Jenn

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Thank you.


  Regards,
  Melvin Foong
  Mobile  : +6012-6306890
  Email  :  melvin.foong () codebeat net
http://www.codebeat.net - Watch out for this space !

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault