Port 6667 & 10.0.1.128/1.1.1.1/1.3.3.7

Discussion in 'Computer Security' started by ex-Zephion, Sep 18, 2003.

  1. ex-Zephion

    ex-Zephion Guest

    Hello,

    I'm seeing a lot of traffic trying to leave my firewall destined for
    port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
    (sounds like l337/elite to me :).

    Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
    etc.

    Various Google searches and searches on the various A/V sites haven't
    turned up a definite answer - just more questions about the same thing.

    Can anyone clue me in to the exact trojan/worm/virus this may be and/or
    if they're seeing the same kind of traffic.

    Any insight is appreciated....

    Thanks.

    B
    ex-Zephion, Sep 18, 2003
    #1
    1. Advertising

  2. ex-Zephion

    Damjan Guest

    > Hello,
    >
    > I'm seeing a lot of traffic trying to leave my firewall destined for
    > port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
    > (sounds like l337/elite to me :).
    >
    > Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
    > etc.
    >
    > Various Google searches and searches on the various A/V sites haven't
    > turned up a definite answer - just more questions about the same thing.
    >
    > Can anyone clue me in to the exact trojan/worm/virus this may be and/or
    > if they're seeing the same kind of traffic.
    >
    > Any insight is appreciated....
    >
    > Thanks.
    >
    > B


    It seem to be somekind of worm, that spread on the irc networks..

    Greets
    D
    Damjan, Sep 18, 2003
    #2
    1. Advertising

  3. ex-Zephion

    [ Doc Jeff ] Guest

    On Thu, 18 Sep 2003 11:32:06 -0400, ex-Zephion
    <> wrote:

    >Hello,
    >
    >I'm seeing a lot of traffic trying to leave my firewall destined for
    >port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
    >(sounds like l337/elite to me :).
    >
    >Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
    >etc.
    >
    >Various Google searches and searches on the various A/V sites haven't
    >turned up a definite answer - just more questions about the same thing.
    >
    >Can anyone clue me in to the exact trojan/worm/virus this may be and/or
    >if they're seeing the same kind of traffic.
    >
    >Any insight is appreciated....


    Sounds a little like the Fizzer worm but most AV software ought to
    pick up on it and exterminate

    --
    http://www.cotse.net - Use it, you know you want to.
    If you're too scared to go look for yourself, ask me
    about COTSE. I'd be happy to tell you about it.
    [ Doc Jeff ], Sep 18, 2003
    #3
  4. ex-Zephion

    Mimic Guest

    "ex-Zephion" <> wrote in message
    news:...
    > Hello,
    >
    > I'm seeing a lot of traffic trying to leave my firewall destined for
    > port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
    > (sounds like l337/elite to me :).
    >
    > Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
    > etc.
    >
    > Various Google searches and searches on the various A/V sites haven't
    > turned up a definite answer - just more questions about the same thing.
    >
    > Can anyone clue me in to the exact trojan/worm/virus this may be and/or
    > if they're seeing the same kind of traffic.
    >
    > Any insight is appreciated....
    >
    > Thanks.
    >
    > B
    >


    6667 is generally an IRC server, so maybe its an IRC spread worm ?
    if you run irc, you could check to see if theres anything (scripts) funny in
    your irc dir i guess


    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
    Mimic, Sep 19, 2003
    #4
  5. ex-Zephion

    Chuck Guest

    On Thu, 18 Sep 2003 11:32:06 -0400, ex-Zephion
    <> wrote:

    >Hello,
    >
    >I'm seeing a lot of traffic trying to leave my firewall destined for
    >port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
    >(sounds like l337/elite to me :).
    >
    >Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
    >etc.
    >
    >Various Google searches and searches on the various A/V sites haven't
    >turned up a definite answer - just more questions about the same thing.
    >
    >Can anyone clue me in to the exact trojan/worm/virus this may be and/or
    >if they're seeing the same kind of traffic.
    >
    >Any insight is appreciated....
    >
    >Thanks.
    >
    >B


    Automated detection tools, rather than manual searches of discussion
    groups, might be more useful.

    If I were you, I'd give Spybot S&D, and HijackThis, a shot. Start
    from this article (ignore the title):
    http://forums.spywareinfo.com/index.php?showtopic=5187


    Chuck

    Spam sucks - PLEASE get rid of the spam before emailing me!
    Trusted Computing? Right! http://www.againsttcpa.com/
    WHAT IS THE CBDTPA? http://www.stoppoliceware.org/
    Chuck, Sep 19, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Themus
    Replies:
    1
    Views:
    753
  2. =?Utf-8?B?bWVmaXR6?=

    128 bit wep encryption with sp2

    =?Utf-8?B?bWVmaXR6?=, Nov 2, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    606
    Carl DaVault [MSFT]
    Nov 3, 2004
  3. Jay E.
    Replies:
    1
    Views:
    810
    Caffeine Junkie
    Apr 16, 2004
  4. Silverstrand

    Leadtek GeForce 6200 128 MB 128-bit Review

    Silverstrand, Dec 3, 2005, in forum: Front Page News
    Replies:
    7
    Views:
    818
    The Modfather
    Dec 5, 2005
  5. Simon
    Replies:
    0
    Views:
    1,253
    Simon
    Jun 29, 2003
Loading...

Share This Page