Microsoft using trojans?

**SirSub** · July 4th, 2003, 07:00 AM

I decided to do a netstat -n just to make sure things were ok, and to my surprise several connections established from 207.68.167.159 running on port 6667 (Sub7). At that instant, I unplugged my cable from the wall, ran a trojan scan, nothing came up. So i checked again, connections still there, so i went to SamSpade.org and used their "Do stuff" Option for that IP. This Came up

dns 207.68.167.159

207.68.167.159 has no reverse DNS configured.

whois -h magic 207.68.167.159
Trying whois -h whois.arin.net 207.68.167.159

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.68.128.0 - 207.68.207.255
CIDR: 207.68.128.0/18, 207.68.192.0/20
NetName: MICROSOFT-CORP-MSN-BLK
NetHandle: NET-207-68-128-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
Comment:
RegDate: 1996-03-26
Updated: 2003-01-15

TechHandle: ZM39-ARIN
TechName: Microsoft
TechPhone: +1-425-936-4200
TechEmail: noc@microsoft.com

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@microsoft.com

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: noc@microsoft.com

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms@microsoft.com

# ARIN WHOIS database, last updated 2003-07-03 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.

So then I checked my firewall logs and found this

07/04/2003 01:26:00 Allowed TCP Outgoing 207.68.167.159 6667 192.168.1.100 1751 C:\Program Files\Internet Explorer\IEXPLORE.EXE 1 07/04/2003 01:24:56 07/04/2003 01:24:56 Ask all running apps

My question is, what should I do now that it doesnt show up on my trojan scanner? Try another product? And, is this microsoft thats using it, or is someone just using one of their machines as a decoy (for lack of a better term).

Thanks in advance for any help.

**Cemetric** · July 4th, 2003, 07:46 AM

Hello,

Did you do any anti-virus checks ... as I recall there are some virusses that leave some trojans behind or connect to ports like 6667.

These ports like 6667 are mainly used for IRC (maybe you know but anyway) ...
DId you connect to a site at that moment that has somesort of chat possibilities (java or something like it) they connect to that port as well.

You have a firewall ... what if you block that port ...does it reconnect automaticly to another port without anything being open or running ... maybe it's the Deloder worm.

... Which OS do you use XP or W98 ?

Keep us updated

**UKnetSec** · July 4th, 2003, 12:01 PM

As Cemetric said it could be IRC, Microsoft Chat also works on that port I think, doubt you would be having a chat with someone from microsoft though. I wonder if it could be something to do with Microsoft auto update or something, not sure what port that uses or if it is dynamically assigned. I would say your best option would be to download FPort from Foundstone http://www.foundstone.com/knowledge/proddesc/fport.html . That will tell you what porocess is making the connection, which should give you a bit more of an idea if it is malicius or not.

Give it a try

hope this helps

**\/IP3R** · July 5th, 2003, 05:37 AM

Nothing is new, those son of a gun always been prying on every bodys life. Sad. Dont you think it is time to slowly move towards to *nix.

***Galdron*** · July 5th, 2003, 05:51 AM

I have had so many problems of the same sort with Microsoft update I can not even count them on 50 hands. As well so many auto updates of firewall proggies. and at times a regimen of not updating all utilities on a regular basis causes many of these reports.

Just my advice from personal procrastination, always update utlities that are running in support of others. Many times patches from one source will affect another.

:

**Viper2026** · July 9th, 2003, 06:48 AM

microsoft likes to have their progs send info about the user to them for some **** or whatever...if you got some weird connections, and its a big corp's prog, like m$, you should be fine

And especially if you have a hardware firewall, as long as you dont have too many open ports, and you arent dealing with assassin, you dont have mu to worry about

**antikrist** · July 9th, 2003, 07:22 AM

well 6667 is one of the universal ports used for irc so M$ should not have used it and i think its a trojan or probably a "feature" of the M$ iexplore.exe!
DUMP WINDOWS AND USE *NIX or BSD's!
**** MICRO$OFT!
**** GATES!

**DocSkurlock** · July 9th, 2003, 07:31 AM

Uh, guys. I have IRC, and I have the same or similar ip address shown on my netstat -n. I wouldn't worry too much. My other computer, that doesn't have IRC, doesn't have one of those ip addresses. It's a IRC thing. Delete IRC, or don't use it anymore, simple as that. Port 6667 is an IRC port.
Doc

Thread: Microsoft using trojans?

Thread Tools

Display

Microsoft using trojans?

Perhaps to Basic an Idea

Posting Permissions