Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Wed, 8 Sep 2004 08:52:04 -0500
Well, 100% of the boxes we have found with this sig have been compromised. However, your point is well taken. I would be interested in others experiences.
JAzoff () UAMAIL ALBANY EDU 9/8/2004 8:38:37 AM >>>
Mark Wilson wrote:
Concerning port 113, regular scans of our network for port 113 has uncovered many bots. One "tool" you may wish to use is expect. I
have
written an expect script that telnets into port 113 and performs a
<CR>
to get the familiar: spawn telnet 131.204.x.x 113 Trying 131.204.x.x ... Connected to 131.204.x.x. Escape character is '^]'. : USERID : UNIX : ggdmlnfa ^] This confirms PC is Bot-ed. After scanning port 113, dump the IPs (with port 113 open) to a
file.
The expect script reads the IP file to "automate" the process. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
This is very similar to what my script does, I wrote a python wrapper to nmap, and then a module called "banners" which connects to each port and sends \n\n, then reads in the response. Then another module has a list of bad banners. Any host with a bad banner, gets its port disabled, and a ticket created. Question for you though :-) Right now the "USERID : UNIX" is not set as a bad banner, as I wasn't sure if any ligitimate irc client's ident server had that signature. Has using that criteria picked up any false positives for you? -- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
- Re: IRC, IM Proxy Implementations Eric Pancer (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
(Thread continues...)