Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date: Fri, 3 Sep 2004 12:22:17 +0000
Brian Eckman wrote:
Phatbot (aka Polybot) versions were seen using stunnel to encrypt traffic this past spring (March and April). The servers I found were apparently running stunnel on port 1331/tcp which is what the bots talked to. stunnel then presumedly decrypted the traffic and passed it up to port 6667/tcp on the same host, which was the C&C IRCd. Detection was possible when the bots tried to spread to other hosts (then looking for 1331/tcp traffic to the controller once it was discovered).
I've found the easiest way to find them is to scan for 113: the virus is dumb enough to start an ident server on the hacked machine. a: # nmap -p 113 --min_parallelism 100 --max_rtt_timeout 25 xx.xx.1.1/16 runs extremely fast and finds every irc "user". Then all you have to do is verify that that user has no idea what irc is. I did a scan for 1331, and nothing is currently running on that port here. I wouldn't be surprised if that is an easily configurable port in a script. -- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- IRC, IM Proxy Implementations Hearn, David L. (Sep 02)
- <Possible follow-ups>
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Rick Coloccia (Sep 02)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
(Thread continues...)