Microsoft using trojans?
Results 1 to 8 of 8

Thread: Microsoft using trojans?

  1. #1
    Senior Member
    Join Date
    May 2003
    Location
    Area-51
    Posts
    148

    Question Microsoft using trojans?

    I decided to do a netstat -n just to make sure things were ok, and to my surprise several connections established from 207.68.167.159 running on port 6667 (Sub7). At that instant, I unplugged my cable from the wall, ran a trojan scan, nothing came up. So i checked again, connections still there, so i went to SamSpade.org and used their "Do stuff" Option for that IP. This Came up
    dns 207.68.167.159


    207.68.167.159 has no reverse DNS configured.



    whois -h magic 207.68.167.159
    Trying whois -h whois.arin.net 207.68.167.159

    OrgName: Microsoft Corp
    OrgID: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US

    NetRange: 207.68.128.0 - 207.68.207.255
    CIDR: 207.68.128.0/18, 207.68.192.0/20
    NetName: MICROSOFT-CORP-MSN-BLK
    NetHandle: NET-207-68-128-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.CP.MSFT.NET
    NameServer: DNS2.CP.MSFT.NET
    NameServer: DNS1.TK.MSFT.NET
    NameServer: DNS1.DC.MSFT.NET
    NameServer: DNS1.SJ.MSFT.NET
    Comment:
    RegDate: 1996-03-26
    Updated: 2003-01-15

    TechHandle: ZM39-ARIN
    TechName: Microsoft
    TechPhone: +1-425-936-4200
    TechEmail: noc@microsoft.com

    OrgAbuseHandle: ABUSE231-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@microsoft.com

    OrgNOCHandle: ZM23-ARIN
    OrgNOCName: Microsoft Corporation
    OrgNOCPhone: +1-425-882-8080
    OrgNOCEmail: noc@microsoft.com

    OrgTechHandle: MSFTP-ARIN
    OrgTechName: MSFT-POC
    OrgTechPhone: +1-425-882-8080
    OrgTechEmail: iprrms@microsoft.com

    # ARIN WHOIS database, last updated 2003-07-03 21:05
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    So then I checked my firewall logs and found this
    07/04/2003 01:26:00 Allowed TCP Outgoing 207.68.167.159 6667 192.168.1.100 1751 C:\Program Files\Internet Explorer\IEXPLORE.EXE 1 07/04/2003 01:24:56 07/04/2003 01:24:56 Ask all running apps

    My question is, what should I do now that it doesnt show up on my trojan scanner? Try another product? And, is this microsoft thats using it, or is someone just using one of their machines as a decoy (for lack of a better term).

    Thanks in advance for any help.

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Hello,

    Did you do any anti-virus checks ... as I recall there are some virusses that leave some trojans behind or connect to ports like 6667.

    These ports like 6667 are mainly used for IRC (maybe you know but anyway) ...
    DId you connect to a site at that moment that has somesort of chat possibilities (java or something like it) they connect to that port as well.

    You have a firewall ... what if you block that port ...does it reconnect automaticly to another port without anything being open or running ... maybe it's the Deloder worm.

    ... Which OS do you use XP or W98 ?


    Keep us updated
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    As Cemetric said it could be IRC, Microsoft Chat also works on that port I think, doubt you would be having a chat with someone from microsoft though. I wonder if it could be something to do with Microsoft auto update or something, not sure what port that uses or if it is dynamically assigned. I would say your best option would be to download FPort from Foundstone http://www.foundstone.com/knowledge/proddesc/fport.html . That will tell you what porocess is making the connection, which should give you a bit more of an idea if it is malicius or not.

    Give it a try

    hope this helps

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Posts
    193
    Nothing is new, those son of a gun always been prying on every bodys life. Sad. Dont you think it is time to slowly move towards to *nix.

  5. #5
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    716

    Perhaps to Basic an Idea

    I have had so many problems of the same sort with Microsoft update I can not even count them on 50 hands. As well so many auto updates of firewall proggies. and at times a regimen of not updating all utilities on a regular basis causes many of these reports.


    Just my advice from personal procrastination, always update utlities that are running in support of others. Many times patches from one source will affect another.



    :


  6. #6
    Senior Member
    Join Date
    Jul 2003
    Posts
    113
    microsoft likes to have their progs send info about the user to them for some **** or whatever...if you got some weird connections, and its a big corp's prog, like m$, you should be fine

    And especially if you have a hardware firewall, as long as you dont have too many open ports, and you arent dealing with assassin, you dont have mu to worry about

  7. #7
    Junior Member
    Join Date
    May 2003
    Posts
    3
    well 6667 is one of the universal ports used for irc so M$ should not have used it and i think its a trojan or probably a "feature" of the M$ iexplore.exe!
    DUMP WINDOWS AND USE *NIX or BSD's!
    **** MICRO$OFT!
    **** GATES!

  8. #8
    Junior Member
    Join Date
    Jul 2003
    Posts
    26
    Uh, guys. I have IRC, and I have the same or similar ip address shown on my netstat -n. I wouldn't worry too much. My other computer, that doesn't have IRC, doesn't have one of those ip addresses. It's a IRC thing. Delete IRC, or don't use it anymore, simple as that. Port 6667 is an IRC port.
    Doc
    I\'m Doc, fear me because..........well I don\'t know, but fear me anyway.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •