Re: Undernet/telnet attempts?

[jburdge () AVENTAIL COM (Jon Burdge)]

This is becoming pretty standard to protect irc servers from abusive people
bouncing through misconfigured wingates and proxy servers.  DALnet is doing
it as well.  The real problem is people who install wingates, as they have
historically had no idea how to configure them correctly.  Some information
on it is at http://help.undernet.org/proxyscan/.  To quote from the page:

"Due to the overwhelming (ab)use of malconfigured Wingate and Proxyservers
being exploited daily the Undernet.org is now checking all users for open
and exploitable Wingate/Proxy server upon connection to any Undernet.org IRC
Server."

> -----Original Message-----
> From: SecOrg [mailto:sec () FRENZY ORG]
> Sent: Friday, February 18, 2000 4:51 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Undernet/telnet attempts?
>
>
> I have gotten a number of telnet attempts/scans on my server
> from undernet
> IRC hosts. A couple of the hosts were
> dallas-r.tx.us.undernet.org
> ProxyScan.MD.US.Undernet.Org
>
> As the name implies, I am guessing they are scanning wingates/proxies,
> etc for security/eggdrop reasons. Does anyone know if they scan all
> incoming connections for telnet(wingate) ports?  And if so,
> why they would
> try to connect to it afterwards? Maybe some kind of fingerprinting
> technique that would find out if it is a open wingate?
> Thank you,
>
> Randy McClelland-Bane
> @Harborside Technical Support
> 1-800-680-8855