I agree; my college recently had a similar problem with a Windows 2000 DC that had been compromised and had an IRC bot dropped on it. You might also want to check http://www.dshield.org and go to the Dshield Reports, Subnet Reports and see if the IP address for the PDC (or for your company if you're using NAT) is reported as a known attacker). If so, it indicates (with a reasonably high degree of probability) that the server has been compromised. In our case we were able to discover that our server was compromised and was launching ISAKMP scans against other networks around the country.
Charles Hamby -----Original Message----- From: Nelson, Ernie [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 11, 2003 8:24 AM To: Harish Gondavale; [EMAIL PROTECTED] Subject: RE: irc port open on 6668/tcp and 6667/tcp I'd grab the fport utility from http://www.foundstone.com/ and run it on the PDC to see what process is using those open ports. > Now my question is, why these port are open on PDC? Is > there something suspicious? What should I do to find > the exact reason?
