[Dshield] Can Nmap give false positives?

Roger RShady at stny.rr.com
Sat Jan 11 15:47:11 GMT 2003


Here is simple batch file called IRCBOT-Detector.  You could open it
with Notepad or any other text editor and modify it to check each server on
your domain, or run the file seperately on each server.
Just a thought....
http://www.jasons-toolbox.com/IRCBot-Detector.asp

Wayne Beckham wrote:

> 
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I'm using the Sourceforge's NmapWin to look for illicit mIRC servers
>across my company's enterprise wan.  It's related to a hack called
>"TK1" that we still haven't completely figured out.  But the point of
>this message is that it loads mIRC.
>
>At any rate, Nmap will report irc on ports 6667 on a particular Win2K
>server - however when I go to the server in question, I can't find
>any installation of mIRC (which could be hidden, I suppose) but more
>importantly I can't find anything running on the particular port. 
>netstat doesn't show anything listening or connected - maybe I'm
>running that wrong?  Ditto for nbtstat - only normal connections.
>
>What am I missing?
>
></FLAME SHIELDS ON>
>
>- - Wayne
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
>iQA/AwUBPh+JMAx91CpcFNLaEQIQJgCgrjuVu/JIhdCeRKUXT7nGg6cWCs4AoNXS
>Gc0q+144mm5xVzy/6Gk/OLz9
>=b8Li
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>





More information about the list mailing list