If it is a Windows machine use fport to see what EXE is opening the port. If it is Unix the lsof will do the same job.
http://www.foundstone.com/knowledge/intrusion_detection.html Note the port and file monitors which might be useful in your investigation?!? http://freshmeat.net/projects/lsof Hope this helps Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: dsardina [mailto:dsardina@;si.rr.com] Sent: 15 October 2002 21:41 To: Kip Sr.; [EMAIL PROTECTED] Subject: Re: Increase in traffic on port 20480 and 6667 I dont know much about port 20480, but 6667 is an attempt to connect to a mIRC Server. I dont know if 192.168.0.199 is a router IP or a pc, but if its a pc, check to see if that pc has any IRC Server Software is installed. (6667) is default port for a irc server.// Just my 2 cents Good Luck~ DS- ----- Original Message ----- From: "Kip Sr." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 3:16 PM Subject: Increase in traffic on port 20480 and 6667 > Hi there, > > In the past few days, my IDS has been picking up > traffic coming from port 20480 (on Internet servers) > to port 6667 (internal desktops). Both ports are > commonly used by trojan horse programs. Has anyone > else seens this? > > 10/10-11:50:01.977897 204.x.x.x:20480 -> > 192.168.0.199:6667 > TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:195 > > > Thanks, > Kip Sr. > > __________________________________________________ > Do you Yahoo!? > Faith Hill - Exclusive Performances, Videos & More > http://faith.yahoo.com ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************************
