6667 may also be used by some APC UPS daemons common on some Windows systems. May want to try and simulate an IRC connect via telnet to see if it responds like an IRC server would. -- Dave Ockwell-Jenner On Wed, 30 Jan 2002, Adcock, Matt wrote: > I believe both tcp/6667 and tcp/6668 are both used for IRC. It would make > sense that these are network aware. I know other IMs are. > > Matt > > -----Original Message----- > From: Mike Lewinski [mailto:mikeat_private] > > We were able to get a port scan of the other client's infected box, and it > too was running IIS and MS-SQL. However, in addition it also had tcp > 6667/6668 open. Ironically, this same client's server was running Linux two > years ago, and intruders installed an eggdrop bot there. I believe that > incident (which totaled their machine before any data recovery was possible) > caused them to look to a Microsoft solution. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 13:58:28 PST