on a similar note, I noticed in my logs today outbound packets being blocked on port
6667 all trying to get to a list of repeating IRC sites, from 2 internal machines,
upon investigation, neither of these machines were running an IRC client. In fact I
shut down all the programs, and the connection attempts persited.
The connections show up on the local machies when doing a netstat -a, but are getting
dropped on the firewall. My conclusion is that these 2 machines have been visisted by
some greeks in a wooden horse.
Do these symptoms sound framiliar to anyone? I have checked the machines for the
obvious suspects (subseven / bo) and run the lastest McAffee on them.
Thanks
James
>>> "Enno Rey" <[EMAIL PROTECTED]> 02/09/00 02:43PM >>>
Steve Riley wrote:
> Does anyone have handy a list all the ports that the servers for these
> trojans live on? This would be useful information for creating a firewall
> rule that drops all inbound packets destined for such ports.
See www.simovits.com/nyheter9902.html
BTW: your FW should block /any/ traffic not expressly permitted...
Enno
[EMAIL PROTECTED]
PGP: 192E 3EBC AD7D DA41 82FC 0C21 5013 0A2C 42B9 F190
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
