about port 6667

[Suleyman]

[07/24/2003 12:00:47.52] Block host "" internet access -
Source=192.168.16.250 - Destination=212.58.4.2:53 - TCP,
Group Everyone

Above message was given by my firewall logs(Symantec
Appliance 200R) at every 20 seconds. I tried to solve this
problem by some anti trojan programs. But still lots of
messages are given this firewall. I cannot solve this
problem, please help me....

 

[Karl Levinson [x y] mvp]

To determine whether it is DNS or IRC or something else, you could use a
sniffer or intrusion detection like www.snort.org. The latest versions of
Ethereal and/or WinDump should be able to look for DNS header information:

http://securityadmin.info/faq.htm#sniffer

Is there any chance you or your firewall has a rule that blocks all traffic
involving port TCP 6667 or TCP 53 regardless of whether it is part of what
should otherwise be an acceptable communication? Someone may have added a
rule to block TCP 53 as it is used for enumeration via DNS server zone
transfers, however TCP 53 is also necessary for DNS resolution where the DNS
reply does not fit in a single UDP packet, so that some DNS requests may
intermittently fail after the request is re-sent a second time using TCP
instead of UDP. Try looking through the firewall logs for other previous
entries. It could be that a rule on the firewall is over-blocking, e.g.
blocking legitimate traffic.

I don't see in the log where TCP 6667 is used, but note that 6667 is a
common port used by IRC chat and IRC remote control worms [and other
programs like AOL AIM chat may try to use a variety of ports at startup to
try to get out through the firewall], though you wouldn't expect it to be
chat-related when the 6667 is used on the client side. You could ask the
internal computer user whether he or she is using internet chat software and
if not, unplug the network cable and start using antivirus and other tools
to investigate.

hmmm, 212.58.4.2 is a domain name server in turkey. port 53 is the dns
port. it woudl seem that your machine 192.168.16.250 is trying to do a dns
lookup, maybe it has the wrong dns configuration??

[07/24/2003 12:00:47.52] Block host "" internet access -
Source=192.168.16.250 - Destination=212.58.4.2:53 - TCP,
Group Everyone

Above message was given by my firewall logs(Symantec
Appliance 200R) at every 20 seconds. I tried to solve this
problem by some anti trojan programs. But still lots of
messages are given this firewall. I cannot solve this
problem, please help me....

 

[David Robbins]

above what?

sorry i posted the wrong error message...
the correct one is above

-----Original Message-----
hmmm, 212.58.4.2 is a domain name server in turkey. port 53 is the dns
port. it woudl seem that your machine 192.168.16.250 is trying to do a dns
lookup, maybe it has the wrong dns configuration??

[07/24/2003 12:00:47.52] Block host "" internet access -
Source=192.168.16.250 - Destination=212.58.4.2:53 - TCP,
Group Everyone

Above message was given by my firewall logs(Symantec
Appliance 200R) at every 20 seconds. I tried to solve this
problem by some anti trojan programs. But still lots of
messages are given this firewall. I cannot solve this
problem, please help me....

.