Security Incidents mailing list archives
Re: Happy Familiy- SOCKS, Telnet, and IRC
From: Nicholas Brawn <nickbrawn () ONETEL COM>
Date: Mon, 13 Nov 2000 11:55:13 +1100
On Fri, 10 Nov 2000 16:48:50 -0800 Crist Clark <crist.clark () GLOBALSTAR COM> wrote:
Have something kind of neat here that I thought some of you out there might find interesting. I have been seeing SOCKS and Telnet scans from one host bouncing off of a firewall for some time. Here are the scans from this week, 9Oct2000 9:14:05 drop >hme0 tcp 203.101.17.225:41095 -> XXX.XXX.248.142:SOCKS 60 9Oct2000 9:14:05 drop >hme0 tcp 203.101.17.225:41096 -> XXX.XXX.248.142:telnet 60
<snip>
The source is, Name: irc.one.net.au Address: 203.101.17.225 After much toying with logs and tons of AWK and Perl fun, I managed to correlate these attacks with outgoing IRC traffic from one host in our network. The servers being visited have some interesting features as well, but the machine scanning us was never visited. I am waiting to hear from some admin at the external sites before I post any of the odd stuff I noticed about the servers my user was going to, maybe in a later post. I assume there is some 'bot living on the scanning machine that hits people it sees on IRC channels. Anyone recognize the signature? I have not had any luck trying to track down other reports of such activity.
That would be our irc server doing proactive checks (as users log in) to check if users are bouncing off wingate and/or open socks proxies. It is a commonplace practice across a number of irc networks. Cheers, Nick
-- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
-- Secure email preferred. PGP key available on request. Phone: +61 2 9025 7571 || Email: nickbrawn () onetel com
Current thread:
- Happy Familiy- SOCKS, Telnet, and IRC Crist Clark (Nov 13)
- Re: Happy Familiy- SOCKS, Telnet, and IRC Nicholas Brawn (Nov 13)
- Re: Happy Familiy- SOCKS, Telnet, and IRC Valdis Kletnieks (Nov 13)