Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: "Hearn, David L." <DHearn () ADMIN FSU EDU>
Date: Wed, 8 Sep 2004 09:57:49 -0400
Wow. Good thread! Thanks everyone. To clarify, or perhaps narrow the scope of my original question though, does anyone require use of a proxy server (or farm) for ALL outbound access? Or just dorms at least? This is fairly common in the private sector but I'm wondering if there has been any adoption in higher Ed. Or more importantly, what was\is the resistance level? Thanks again. Dave Hearn Windows Systems Group Office of Technology Integration - Florida State University dhearn () admin fsu edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Azoff Sent: Wednesday, September 08, 2004 9:39 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] IRC, IM Proxy Implementations Mark Wilson wrote:
Concerning port 113, regular scans of our network for port 113 has uncovered many bots. One "tool" you may wish to use is expect. I
have
written an expect script that telnets into port 113 and performs a
<CR>
to get the familiar: spawn telnet 131.204.x.x 113 Trying 131.204.x.x ... Connected to 131.204.x.x. Escape character is '^]'. : USERID : UNIX : ggdmlnfa ^] This confirms PC is Bot-ed. After scanning port 113, dump the IPs (with port 113 open) to a file. The expect script reads the IP file to "automate" the process. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
This is very similar to what my script does, I wrote a python wrapper to nmap, and then a module called "banners" which connects to each port and sends \n\n, then reads in the response. Then another module has a list of bad banners. Any host with a bad banner, gets its port disabled, and a ticket created. Question for you though :-) Right now the "USERID : UNIX" is not set as a bad banner, as I wasn't sure if any ligitimate irc client's ident server had that signature. Has using that criteria picked up any false positives for you? -- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
- Re: IRC, IM Proxy Implementations Eric Pancer (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
(Thread continues...)