Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Fri, 3 Sep 2004 16:34:34 -0400
And usually if the PC is running a bogus identd/authd at TCP port 113 you can connect to it over the network with telnet or nc and hit return once or twice and get it to give you a "canned" ident response (w/o sending it a real request) which includes a very random looking userid (such as vvrscxxz). - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS On Sep 3, 2004, at 8:22 AM, Justin Azoff wrote:
Brian Eckman wrote:Phatbot (aka Polybot) versions were seen using stunnel to encrypt traffic this past spring (March and April). The servers I found were apparently running stunnel on port 1331/tcp which is what the bots talked to. stunnel then presumedly decrypted the traffic and passed it up to port 6667/tcp on the same host, which was the C&C IRCd. Detection was possible when the bots tried to spread to other hosts (then looking for 1331/tcp traffic to the controller once it was discovered).I've found the easiest way to find them is to scan for 113: the virus is dumb enough to start an ident server on the hacked machine. a: # nmap -p 113 --min_parallelism 100 --max_rtt_timeout 25 xx.xx.1.1/16 runs extremely fast and finds every irc "user". Then all you have to do is verify that that user has no idea what irc is. I did a scan for 1331, and nothing is currently running on that port here. I wouldn't be surprised if that is an easily configurable port in a script. -- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
(Thread continues...)