Security Incidents mailing list archives
Happy Familiy- SOCKS, Telnet, and IRC
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 10 Nov 2000 16:48:50 -0800
Have something kind of neat here that I thought some of you out there might find interesting. I have been seeing SOCKS and Telnet scans from one host bouncing off of a firewall for some time. Here are the scans from this week, 9Oct2000 9:14:05 drop >hme0 tcp 203.101.17.225:41095 -> XXX.XXX.248.142:SOCKS 60 9Oct2000 9:14:05 drop >hme0 tcp 203.101.17.225:41096 -> XXX.XXX.248.142:telnet 60 12Oct2000 8:15:11 drop >hme0 tcp 203.101.17.225:45176 -> XXX.XXX.248.142:SOCKS 60 12Oct2000 8:15:11 drop >hme0 tcp 203.101.17.225:45177 -> XXX.XXX.248.142:telnet 60 17Oct2000 15:04:48 drop >hme0 tcp 203.101.17.225:34127 -> XXX.XXX.248.142:SOCKS 60 17Oct2000 15:04:48 drop >hme0 tcp 203.101.17.225:34128 -> XXX.XXX.248.142:telnet 60 18Oct2000 8:44:53 drop >hme0 tcp 203.101.17.225:55267 -> XXX.XXX.248.142:SOCKS 60 18Oct2000 8:44:53 drop >hme0 tcp 203.101.17.225:55268 -> XXX.XXX.248.142:telnet 60 20Oct2000 10:11:09 drop >hme0 tcp 203.101.17.225:56599 -> XXX.XXX.248.142:SOCKS 60 20Oct2000 10:11:09 drop >hme0 tcp 203.101.17.225:56600 -> XXX.XXX.248.142:telnet 60 20Oct2000 13:32:29 drop >hme0 tcp 203.101.17.225:47415 -> XXX.XXX.248.142:SOCKS 60 20Oct2000 13:32:29 drop >hme0 tcp 203.101.17.225:47416 -> XXX.XXX.248.142:telnet 60 30Oct2000 10:59:05 drop >hme0 tcp 203.101.17.225:41623 -> XXX.XXX.248.142:SOCKS 60 30Oct2000 10:59:05 drop >hme0 tcp 203.101.17.225:41624 -> XXX.XXX.248.142:telnet 60 30Oct2000 13:47:19 drop >hme0 tcp 203.101.17.225:50625 -> XXX.XXX.248.142:SOCKS 60 30Oct2000 13:47:19 drop >hme0 tcp 203.101.17.225:50626 -> XXX.XXX.248.142:telnet 60 31Oct2000 10:24:52 drop >hme0 tcp 203.101.17.225:57006 -> XXX.XXX.248.142:SOCKS 60 31Oct2000 10:24:52 drop >hme0 tcp 203.101.17.225:57007 -> XXX.XXX.248.142:telnet 60 31Oct2000 14:42:00 drop >hme0 tcp 203.101.17.225:45119 -> XXX.XXX.248.142:SOCKS 60 31Oct2000 14:42:00 drop >hme0 tcp 203.101.17.225:45120 -> XXX.XXX.248.142:telnet 60 31Oct2000 14:46:06 drop >hme0 tcp 203.101.17.225:45371 -> XXX.XXX.248.142:SOCKS 60 31Oct2000 14:46:06 drop >hme0 tcp 203.101.17.225:45372 -> XXX.XXX.248.142:telnet 60 1Nov2000 9:12:45 drop >hme0 tcp 203.101.17.225:48972 -> XXX.XXX.248.142:SOCKS 60 1Nov2000 9:12:45 drop >hme0 tcp 203.101.17.225:48973 -> XXX.XXX.248.142:telnet 60 2Nov2000 13:10:32 drop >hme0 tcp 203.101.17.225:34516 -> XXX.XXX.248.142:SOCKS 60 2Nov2000 13:10:32 drop >hme0 tcp 203.101.17.225:34517 -> XXX.XXX.248.142:telnet 60 3Nov2000 10:03:42 drop >hme0 tcp 203.101.17.225:39692 -> XXX.XXX.248.142:SOCKS 60 3Nov2000 10:03:42 drop >hme0 tcp 203.101.17.225:39693 -> XXX.XXX.248.142:telnet 60 3Nov2000 13:49:32 drop >hme0 tcp 203.101.17.225:56618 -> XXX.XXX.248.142:SOCKS 60 3Nov2000 13:49:32 drop >hme0 tcp 203.101.17.225:56619 -> XXX.XXX.248.142:telnet 60 The source is, Name: irc.one.net.au Address: 203.101.17.225 After much toying with logs and tons of AWK and Perl fun, I managed to correlate these attacks with outgoing IRC traffic from one host in our network. The servers being visited have some interesting features as well, but the machine scanning us was never visited. I am waiting to hear from some admin at the external sites before I post any of the odd stuff I noticed about the servers my user was going to, maybe in a later post. I assume there is some 'bot living on the scanning machine that hits people it sees on IRC channels. Anyone recognize the signature? I have not had any luck trying to track down other reports of such activity. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- Happy Familiy- SOCKS, Telnet, and IRC Crist Clark (Nov 13)
- Re: Happy Familiy- SOCKS, Telnet, and IRC Nicholas Brawn (Nov 13)
- Re: Happy Familiy- SOCKS, Telnet, and IRC Valdis Kletnieks (Nov 13)