port 6667 activity
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: port 6667 activity

  1. #1
    Member
    Join Date
    May 2002
    Posts
    65
    hmmm something went wrong when I posted... Oh well, here goes again. So I got a win2k server set up on the internet as a mail server and it patches itself about once a week (ms patches). The other day I notice the traffic has just about doubled. I did a netstat -a to see connections and I see a connection originating from my machine (port 1039 standard, I know) to port 6667 on someone's IP address. So I ran a full scan with NAV and found nothing, then I went and downloaded the cleaner by moosoft and ran that and it picked up nothing. The Cleaner also comes with a component that maps processes to ports and the one above didn't even show up. Then I checked the run keys in the registry and didn't find anything suspicious looking. Anybody have any idea what's goin on I know IRC listens on port 6667 and I saw some stuff on google about people using 6667 for DoS attacks, but I checked a few and looked for the files they said were found on the attacking machines. Alas I found nothing.

    Thanks for your help
    Greg

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I deleted all 'previous' posts... heh... now this thread makes sense again

  3. #3
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    Why don't you give us the ip and we'll have a look .

    BTW Negative : Get your roots sorted out and get that Belgian flag back in place
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    do a netstat with no flags and see what irc server

    do a search on your computer for mIRC.ini

    get fport from foundstone.com and run it from dos. this will map each port to the app using it See what app is using 1029

    let us know what you find
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    The number "6667" definately sets an alarm off in my head....I remember reading about some trojan/worm/somethin-er-other that uses port 6667. I'll look, but I'm posting it just in case it triggers any memories from anyone else. I'll edit the post if I find anything. *goez lookin*

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    If it's not just an IRC server running, it can be *any* of these oldies but goodies:
    Dark FTP
    ScheduleAgent
    SubSeven
    DefCon 8
    Trinity
    WinSatan

    Either get your hands on TCPView (my personal favorite process explorer) or as suggested, Fport will do the same thing without the pretty GUI.

    You can get TCPView here:
    http://www.webattack.com/get/tcpview.shtml

    Hope this helps.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i was going to suggest the pstool kit from systernals.com but its difficult for one to know what prosesses to kill until you see which ones are connecting to the net. usually process listers dont map to port.

    the problem is mIRC serve-u and the others aren't trojans so NAV will not pick them up and the names of the exe's are changed so you dont recognize then amoung the processes. They can be installed by worms like muma or the newest one that exploits RPC or installed manually by someone whose broken into your machine
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    usually process listers dont map to port.
    Yep, most don't but TCPView is one of the few that does.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    very cool thehorse13 thanks allot!

    if this guy ever replys, we can throw (not through) a ton of stuff on there! :-)



    TCPview comes from systernals as well...what a bunch of buds they are

    its a gui but at least i can maintain my esoteric aire by calling it from the run box LoL
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yeah, I'm hoping that he'll post the output from one of the viewers we have suggested.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •