RE: DDoS to microsoft sites

From: Dave Ockwell-Jenner (dojat_private-nexus.com)
Date: Wed Jan 30 2002 - 11:27:39 PST

  • Next message: H C: "RE: DDoS to microsoft sites"

    6667 may also be used by some APC UPS daemons common on some Windows
    systems.  May want to try and simulate an IRC connect via telnet to see if
    it responds like an IRC server would.
    --
    Dave Ockwell-Jenner
    
    On Wed, 30 Jan 2002, Adcock, Matt wrote:
    
    > I believe both tcp/6667 and tcp/6668 are both used for IRC.  It would make
    > sense that these are network aware.  I know other IMs are.
    >
    > Matt
    >
    > -----Original Message-----
    > From: Mike Lewinski [mailto:mikeat_private]
    >
    > We were able to get a port scan of the other client's infected box, and it
    > too was running IIS and MS-SQL. However, in addition it also had tcp
    > 6667/6668 open. Ironically, this same client's server was running Linux two
    > years ago, and intruders installed an eggdrop bot there. I believe that
    > incident (which totaled their machine before any data recovery was possible)
    > caused them to look to a Microsoft solution.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 13:58:28 PST