What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?
I opened the binary log in Ethereal, and added a filter for outbound TCP traffic to port 6660-6669, the common IRC ports. I noticed that the first 4 attempts of the trojan to connect to an IRC server failed. Attempt no.5 succeeds, after which the trojan joins #xàéüîéðìx. I replaced the filter in Ethereal with a filter on the “USER” message (which would be one of the first messages the client sends to an IRC server on connecting), to see if there where more successful attempts to connect to IRC servers running on non-standard ports. If this were the only filter I used to answer this question, I would have known with which IRC servers actual communication took place, but I would have overlooked the IRC servers to which attempts were made to connect, but no connection could be set up. Since the first two servers listed below didn’t respond, no USER message was sent and I wouldn’t have known about them without filtering all outbound traffic to the common ports. Again, they were only attemp
Related Questions
- Regarding servers or services requiring additional connections. Any external IP address would require additional connections beyond the global setting, is this correct?
- I run a firewall other than Sygate. What do I need to do to allow Sophos to correctly communicate with the update and management servers?
- What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?
