OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Cossix (cossixMINDSPRING.COM)
Date: Wed May 02 2001 - 14:18:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    IRC only uses those ports for it's initial connection. DCC chatting and file
    transfers are handled on completely different ports.

    ----- Original Message -----
    From: "Valdis Kletnieks" <Valdis.KletnieksVT.EDU>
    To: <INCIDENTSSECURITYFOCUS.COM>
    Sent: Wednesday, May 02, 2001 10:20 AM
    Subject: Re: Strange Activity

    On Tue, 01 May 2001 20:49:41 EDT, "Johannes B. Ullrich"
    <jullrichEUCLIDIAN.COM
    > Looks like IRC traffic based on the ports used. Did you use IRC
    > at the time?

    I don't agree. First off, IRC usually is seen right around 6666-6668 or
    so. Secondly, the packet sizes are weird for that..

    > 16:26:14.957566 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF)
    > 16:26:14.958509 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF)
    > 16:26:14.959240 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF)

    An ACK for a previous packet, followed by 2K of data sent *out*. How
    often do you type a line 2K long? ;)

    > 16:26:15.155428 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF)
    > 16:26:15.156308 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF)
    > 16:26:15.157046 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF)

    Another ACK, another 2K sent. This is file transfer of some sort.

    > 16:26:15.242682 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF)
    > 16:26:15.286571 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF)

    2 more ACK?

    > 16:26:15.443723 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF)
    > 16:26:15.448809 x.x.x.x.63783 > 172.150.125.247.6688: tcp 1360 (DF)
    > 16:26:15.449510 x.x.x.x.63783 > 172.150.125.247.6688: tcp 688 (DF)

    ACK and 2K again..

    > 16:26:15.479993 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF)
    > 16:26:15.485314 x.x.x.x.63780 > 172.174.174.84.6700: tcp 1360 (DF)

    and some more.

    It *could* be IRC 'dcc send' traffic going outbound, but those
    usually pick ephemeral port numbers at both ends (so I'd expect that
    one or both ports would be up in the 32K range).

    Given that 2 of the IPs involved have PTRs back to AOL address space,
    I'd be more inclined to bet on file transfer to AIM buddies. However,
    I admit not knowing what ports AIM likes to use, and it's just a bit
    worrysome that the owner of the box wouldn't know about it.

    I'd *REALLY* suggest checking that 'netstat' hasn't been rootkitted. 

    --
    Valdis Kletnieks
    Operating Systems Analyst
    Virginia Tech