Re: IRC, IM Proxy Implementations

["H. Morrow Long" <morrow.long () YALE EDU>]

"USERID : UNIX :" is a fairly common and legit response.

It is the ggdmlnfa as the username which is the tipoff that
the ident response is bogus (though as a privacy fanatic
if I want to have an identd on my own PC which returns
whatever the heck I want -- including obscuring my name--
who is to say what is really a legit username...).

The most illegit thing you should key off of really is the fact
that the remote identd/auth is giving you ANY response at
all to your empty (e.g. CRLF or CRLF & CRLF) query --
that should really be the basis for identifying bogus ident
responses.

- H. Morrow Long, CISSP, CISM
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS


On Sep 8, 2004, at 9:38 AM, Justin Azoff wrote:

> Mark Wilson wrote:
> > Concerning port 113, regular scans of our network for port 113 has
> > uncovered many bots.  One "tool" you may wish to use is expect.  I
> > have
> > written an expect script that telnets into port 113 and performs a
> > <CR>
> > to get the familiar:
> >
> > spawn telnet 131.204.x.x 113
> > Trying 131.204.x.x ...
> > Connected to 131.204.x.x.
> > Escape character is '^]'.
> >
> >  : USERID : UNIX : ggdmlnfa
> > ^]
> > This confirms PC is Bot-ed.
> >
> > After scanning port 113, dump the IPs (with port 113 open) to a file.
> > The expect script reads the IP file to "automate" the process.
> >
> > Mark Wilson
> > GCIA, CISSP #53153
> > Network Security Specialist
> > Auburn University
> > (334) 844-9347
>
> This is very similar to what my script does, I wrote a python wrapper
> to
> nmap, and then a module called "banners" which connects to each port
> and
> sends \n\n, then reads in the response.  Then another module has a list
> of bad banners.  Any host with a bad banner, gets its port disabled,
> and
> a ticket created.
>
> Question for you though :-)  Right now the "USERID : UNIX" is not set
> as
> a bad banner, as I wasn't sure if any ligitimate irc client's ident
> server had that signature.  Has using that criteria picked up any false
> positives for you?
>
> --
> -- Justin Azoff
> -- Network Performance Analyst
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: smime.p7s
Description: