Port 6667 & 10.0.1.128/1.3.3.7/1.1.1.1

  • Thread starter Thread starter ex-Zephion
  • Start date Start date
E

ex-Zephion

Hello,

I'm seeing a lot of traffic trying to leave my firewall destined for
port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
(sounds like l337/elite to me :-).

Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
etc.

Various Google searches and searches on the various A/V sites haven't
turned up a definite answer - just more questions about the same thing.

Can anyone clue me in to the exact trojan/worm/virus this may be and/or
if they're seeing the same kind of traffic.

Any insight is appreciated....

Thanks.

B
 
Hello,

I'm seeing a lot of traffic trying to leave my firewall destined for
port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
(sounds like l337/elite to me :-).

Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
etc.

Various Google searches and searches on the various A/V sites haven't
turned up a definite answer - just more questions about the same thing.

Can anyone clue me in to the exact trojan/worm/virus this may be and/or
if they're seeing the same kind of traffic.

Any insight is appreciated....

Thanks.

B
Click to expand...

Definitely strange on the ip's... but port 6667 is usually Internet
Relay Chat.
 
Most trojans use something like IRC in order not to give away the
identity of the master controller. Most of the AV vendors have dozens of
IRCbots listed, so it's not possible to know from just the port which
trojan you have.

Removal instructions are typical for trojans. Use a tool like Autostart
Viewer to see *all* your startup locations and identify suspicious
program files. Use netstat -ano (XP) to get the associated PID. Use Task
Manager to kill it, regedit to remove the startup item, and Windows
Explorer to delete the file.

If taskmgr, regedit, and msconfig get killed by the trojan, the trick
that usually works is to copy the files to taskmgr1, regedit1, and
msconfig1 and run those programs instead.

If these simple steps don't work, you'll need a trojan removal tool.

Get yourself a good firewall that manages outbound application traffic
(ZoneAlarm or Kerio or ...). These are usually effective against trojan
traffic.
 
I've recently seen a trojan that installs from a Web server using IE
vulnerability (a _link_ to the page is sent in a spam mail, which is however
nice-looking HTML and is in English), installs a keylogger and sends key
sequences using IRC.

Most likely shit like that.
 
Back
Top