[unisog] Re: Coordinated Scan

Gary Flynn flynngn at jmu.edu
Sat Mar 23 02:08:46 GMT 2002


"Sherry M. Rogers" wrote:
> 
> We identified 13 Windows hosts altogether.  When scanned with nmap there
> were two interesting ports open - a port 99 which disappeared on
> subsequent scans, and port 8888.  Connecting to port 8888 revealed that it
> was running a program written by "darkIRC".

Quick scan of campus got a hit here on one student Windows box with 
8888-darkIRC. Is this the same beast as what is described here:

http://www.tlsecurity.net/cgi-bin/readme.pl?DarkIrc.Readme.txt
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.darkirc.html

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list