Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Wed, 8 Sep 2004 13:10:51 -0400
"USERID : UNIX :" is a fairly common and legit response. It is the ggdmlnfa as the username which is the tipoff that the ident response is bogus (though as a privacy fanatic if I want to have an identd on my own PC which returns whatever the heck I want -- including obscuring my name-- who is to say what is really a legit username...). The most illegit thing you should key off of really is the fact that the remote identd/auth is giving you ANY response at all to your empty (e.g. CRLF or CRLF & CRLF) query -- that should really be the basis for identifying bogus ident responses. - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS On Sep 8, 2004, at 9:38 AM, Justin Azoff wrote:
Mark Wilson wrote:Concerning port 113, regular scans of our network for port 113 has uncovered many bots. One "tool" you may wish to use is expect. I have written an expect script that telnets into port 113 and performs a <CR> to get the familiar: spawn telnet 131.204.x.x 113 Trying 131.204.x.x ... Connected to 131.204.x.x. Escape character is '^]'. : USERID : UNIX : ggdmlnfa ^] This confirms PC is Bot-ed. After scanning port 113, dump the IPs (with port 113 open) to a file. The expect script reads the IP file to "automate" the process. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347This is very similar to what my script does, I wrote a python wrapper to nmap, and then a module called "banners" which connects to each port and sends \n\n, then reads in the response. Then another module has a list of bad banners. Any host with a bad banner, gets its port disabled, and a ticket created. Question for you though :-) Right now the "USERID : UNIX" is not set as a bad banner, as I wasn't sure if any ligitimate irc client's ident server had that signature. Has using that criteria picked up any false positives for you? -- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
- Re: IRC, IM Proxy Implementations Eric Pancer (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)