Re: IRC, IM Proxy Implementations

["H. Morrow Long" <morrow.long () YALE EDU>]

And usually if the PC is running a bogus identd/authd
at TCP port 113 you can connect to it over the network
with telnet or nc and hit return once or twice and get it
to give you a "canned" ident response (w/o sending it
a real request) which includes a very random looking
userid (such as vvrscxxz).

- H. Morrow Long, CISSP, CISM
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS


On Sep 3, 2004, at 8:22 AM, Justin Azoff wrote:

> Brian Eckman wrote:
>
> > Phatbot (aka Polybot) versions were seen using stunnel to encrypt
> > traffic this past spring (March and April). The servers I found were
> > apparently running stunnel on port 1331/tcp which is what the bots
> > talked to. stunnel then presumedly decrypted the traffic and passed it
> > up to port 6667/tcp on the same host, which was the C&C IRCd.
> > Detection
> > was possible when the bots tried to spread to other hosts (then
> > looking
> > for 1331/tcp traffic to the controller once it was discovered).
>
>
> I've found the easiest way to find them is to scan for 113: the virus
> is
> dumb enough to start an ident server on the hacked machine.
> a:
> # nmap -p 113 --min_parallelism 100 --max_rtt_timeout 25 xx.xx.1.1/16
>
> runs extremely fast and finds every irc "user".  Then all you have to
> do
> is verify that that user has no idea what irc is.
>
> I did a scan for 1331, and nothing is currently running on that port
> here.  I wouldn't be surprised if that is an easily configurable port
> in
> a script.
>
>
> --
> -- Justin Azoff
> -- Network Performance Analyst
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: smime.p7s
Description: