Re: IRC, IM Proxy Implementations

["Hearn, David L." <DHearn () ADMIN FSU EDU>]

Wow. Good thread! Thanks everyone. To clarify, or perhaps narrow the
scope of my original question though, does anyone require use of a proxy
server (or farm) for ALL outbound access? Or just dorms at least? This
is fairly common in the private sector but I'm wondering if there has
been any adoption in higher Ed. Or more importantly, what was\is the
resistance level? 

Thanks again.

Dave Hearn
Windows Systems Group
Office of Technology Integration - Florida State University 
dhearn () admin fsu edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Azoff
Sent: Wednesday, September 08, 2004 9:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IRC, IM Proxy Implementations

Mark Wilson wrote:
> Concerning port 113, regular scans of our network for port 113 has
> uncovered many bots.  One "tool" you may wish to use is expect.  I
have
> written an expect script that telnets into port 113 and performs a
<CR>
> to get the familiar:
>
> spawn telnet 131.204.x.x 113
> Trying 131.204.x.x ...
> Connected to 131.204.x.x.
> Escape character is '^]'.
>
>  : USERID : UNIX : ggdmlnfa
> ^]
> This confirms PC is Bot-ed.
>
> After scanning port 113, dump the IPs (with port 113 open) to a file.
> The expect script reads the IP file to "automate" the process.
>
> Mark Wilson
> GCIA, CISSP #53153
> Network Security Specialist
> Auburn University
> (334) 844-9347

This is very similar to what my script does, I wrote a python wrapper to
nmap, and then a module called "banners" which connects to each port and
sends \n\n, then reads in the response.  Then another module has a list
of bad banners.  Any host with a bad banner, gets its port disabled, and
a ticket created.

Question for you though :-)  Right now the "USERID : UNIX" is not set as
a bad banner, as I wasn't sure if any ligitimate irc client's ident
server had that signature.  Has using that criteria picked up any false
positives for you?

--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.