Home page logo

basics logo Security Basics mailing list archives

Re: Possible virus?
From: Melvin Foong <melvin.foong () codebeat net>
Date: Tue, 16 Dec 2003 07:27:35 +0800


The traffic that you are seeing are going to an IRC network, called Addictz Network. Here are the output from my IRC Client. Hope this helps.

Welcome to the Addictz Network l33t-hax0r!myr0n () 10 10 10 10
You are connected to blacksheep.sf.us.addictz.net[blacksheep.sf.us.addictz.net/6667], running version LiquidIRCd-1.0(04)(shiva)
This server was created Thu Nov 20 2003 at 12:22:57 GMT
blacksheep.sf.us.addictz.net LiquidIRCd-1.0(04)(shiva) oOiwscrkKnfydaAbgheFxXjzNTCW biklLmMnNoprRstvcS NOQUIT WATCH=128 SAFELIST MODES=6 MAXCHANNELS=10 MAXBANS=100 NICKLEN=30 TOPICLEN=307 KICKLEN=307 CHANTYPES=# PREFIX=(qaohVv)!* () %=+ NETWORK=Addictz SILENCE=10 CASEMAPPING=ascii CHANMODES=b,kL,l,cimMnNOpQrRsStU are supported by this server
There are 23 users and 6477 invisible on 22 servers
36 IRC Operators online
516 channels formed
I have 609 clients and 1 servers
Current local users: 609 Max: 1469
Current global users: 6500 Max: 8069
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- motd was last changed at 20/11/2003 12:22 [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- Please read the motd if you haven't read it
Message of the Day, blacksheep.sf.us.addictz.net
- *** This is the short motd ***
End of /MOTD command.
[07:24] -blacksheep.sf.us.addictz.net- *** Notice -- This server runs an open proxy monitor to prevent abuse. [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- If you see connections on various ports from bot.addictz.net [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- please disregard them, as they are the monitor in action. [07:24] -blacksheep.sf.us.addictz.net- *** Notice -- For more information please visit http://kline.dal.net/proxy
[07:24] * Cute-Guy78 sets mode: +iz
[07:24] -Global- [Logon News - Oct 18 2003] If you haven't already done so, Please register your nick by typing /msg nickserv register password your () email com
[07:24] -opsb- Your Host is being Scanned for Open Proxies
* No one in your notify list is on IRC
[07:24] Local host: unknown (

At 10:46 PM 12/15/2003, you wrote:
Hi all,

I have been seeing a lot of strange traffic hitting my firewall and
cannot get a definite as to what it actually is.

Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside: dst
Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside: dst
Dec 13 23:00:15 fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny
inbound (No xlate) tcp src outside: dst
Dec 13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny
tcp src outside: dst inside:x.x.x.x/1726 by
access-group "outside_access_in"

>From what I am seeing, it is from the same ip and src port - 6667 but
going to different ip and dest ports.  I have seen this activity from
numerous hosts and a dig cannot find anything about them.

I have seen an massive increase of this traffic over the last couple of
days and can't find any conclusive evidence that it may be a virus in
the wild.  Has anyone else seen this type of traffic?

Any information is greatly appreciated.


Thank you.

  Melvin Foong
  Mobile  : +6012-6306890
  Email  :  melvin.foong () codebeat net
http://www.codebeat.net - Watch out for this space !


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]