If you are running APC Powerchute on your server you may want to look at: http://archives.neohapsis.com/archives/ntbugtraq/1999-q4/0017.html ---Matthew *********** REPLY SEPARATOR *********** On 12/19/2001 at 4:33 PM Jignesh Pathak wrote: >TCP port 6667 and 6668 are used for IRC (Internet Relay Chat). Looking >to this it seems that your server might have connection to one of IRC >server using TCP port 6666. But at the same time TCP port 6666 is used >by DarkConnection and TCPshell.C Trojans. > >You need to run some utility to find out connections. Wish I could have >handy one. > >--------------------------------------------------------------------- >Jignesh Pathak >System Administrator >--------------------------------------------------------------------- > > >-----Original Message----- >From: Eric Hines [mailto:eric3+@pitt.edu] >Sent: Wednesday, December 19, 2001 2:46 PM >To: incidentsat_private >Subject: NT Compromise > >Hey all, > >I am responding to several compromised NT boxes and am trying to find a >utility that will allow you to see what program is bound to a particular >port. I think I've seen one that shows what ports are bound to >command.com, but need something similar for other programs/trojans/etc. >Is there something available? Has anyone seen a compromised NT box with >port 6667 open that does not seem to be running an IRCD? Check out the >below snippit from netstat. I've tried connecting to the 6667 port with >MiRC.. Nothing at all! I need to find out what process/application >opened this port. On this note, can anyone recommend a good forensics >toolkit for Windows to be used on compromised machines? > >C:\ netstat -an >-- snip -- > TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING > TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING > TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING >-- snap -- > > > >2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is? >I am seeing a compromised NT box full of such logs in the event/security >viewer. Logs have been pasted below. Notice all of the different >hostnames/machines its attempting to access. Add 70 something other >machines to the below list. What is it and is this a sign of a definate >compromise? > >12/17/01 1:16:26 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to READING. >12/17/01 1:15:11 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to STEELSRV. >12/17/01 1:14:01 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to PUBLICSAFETY1. >12/17/01 1:12:51 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to ANITRA-00. >12/17/01 1:10:41 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to SRFS-PDC. >12/17/01 1:09:31 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to GODZILLA. >12/17/01 1:08:21 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to SDMWWW. >12/17/01 1:07:11 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to EXCHANGE. >12/17/01 1:06:01 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to PICASSO. >12/17/01 1:04:51 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to PITT-TV3. >12/17/01 1:03:51 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to COMPUTERZ. >12/17/01 1:02:36 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to SDMGENETICS1. >12/17/01 1:01:36 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to BOHNER2. >12/17/01 1:00:36 PM Rdr Warning None 3013 N/A >INTERACT The redirector >has timed out a request to CALIBAN. > > >Please advise! >Eric > > > > >------------------------------------------------------------------------ >---- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 15:01:01 PST