[Dshield] RE: Log ID and Template question...

Ryan J Betz ryanb at maumeepattern.com
Tue Jul 24 17:25:28 GMT 2001

Nope, you're right.  I should have read it a with a little more attention to
detail.  Could be someone trying to run a client (bot) from that computer
like you suggested.

My bad,

Are you sure? The SYN bit doesn't appear to be set, which I'd expect on
initial inbound TCP requests.

These all look to me like IRC *responses* - the outbound IRC traffic is
permitted but the server's response is being blocked. Someone could be
scanning you from the IRC port in an attempt to bypass your firewall,
but the many different source IP addresses argue against that.

I would check for some kind of IRC client software -
including, most dangerously, a DDoS zombie, many of which register on
and are controlled via public IRC servers when active.

You may also want to add a rule blocking outbound traffic destined to
6666:6668/tcp and see what it reports.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192

More information about the list mailing list