mailing list archives
RE: irc port open on 6668/tcp and 6667/tcp
From: Charles Hamby <fixer () gci net>
Date: Tue, 11 Feb 2003 09:47:31 -0900
I agree; my college recently had a similar problem with a Windows 2000
DC that had been compromised and had an IRC bot dropped on it. You
might also want to check http://www.dshield.org and go to the Dshield
Reports, Subnet Reports and see if the IP address for the PDC (or for
your company if you're using NAT) is reported as a known attacker). If
so, it indicates (with a reasonably high degree of probability) that the
server has been compromised. In our case we were able to discover that
our server was compromised and was launching ISAKMP scans against other
networks around the country.
From: Nelson, Ernie [mailto:Ernie.Nelson () wizards com]
Sent: Tuesday, February 11, 2003 8:24 AM
To: Harish Gondavale; security-basics () securityfocus com
Subject: RE: irc port open on 6668/tcp and 6667/tcp
I'd grab the fport utility from http://www.foundstone.com/ and run it on
the PDC to see what process is using those open ports.
Now my question is, why these port are open on PDC? Is
there something suspicious? What should I do to find
the exact reason?