Re: Undernet/telnet attempts?

[brendan () AUSTCO COM AU (Brendan Grieve)]

If this machine acts as a gateway, and does NAT, this is explainable, since
it would be someone behind it that's connecting to the IRC.

Brendan

----- Original Message -----
From: Tibor, Mike <tibor () LIB UAA ALASKA EDU>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 23, 2000 9:06 AM
Subject: Re: Undernet/telnet attempts?

> On Fri, 18 Feb 2000, SecOrg wrote:
>
> > I have gotten a number of telnet attempts/scans on my server from
undernet
> > IRC hosts. A couple of the hosts were
> > dallas-r.tx.us.undernet.org
> > ProxyScan.MD.US.Undernet.Org
> >
> > As the name implies, I am guessing they are scanning wingates/proxies,
> > etc for security/eggdrop reasons. Does anyone know if they scan all
> > incoming connections for telnet(wingate) ports?  And if so, why they
would
> > try to connect to it afterwards? Maybe some kind of fingerprinting
> > technique that would find out if it is a open wingate?
>
> I've experienced those probes myself, and in email exchanges with the
> technical contacts (angel111 () ns2 cetlink net, danny () chatsystems com,
> abuse () undernet org, noc () u1 abs net), they vehemently claim to only probe
> each machine when it makes an IRC connection to them (ie, the incoming IRC
> connection triggers the probe)
>
> The problem *I* have with it is that when I confronted them they couldn't
> produce any evidence my server ever made those connections--they
> apparently don't keep any logs.  In my case it's rather interesting as
> only 4 people other than myself have shell access to my server, and none
> of us has *ever* done any IRC activity from it (and I'm also confident it
> hasn't been rooted).
>
> Mike
> --
> Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
> LAN Technician     Consortium Library             (907) 786-6050 fax
> tibor () lib uaa alaska edu       http://www.lib.uaa.alaska.edu/~tibor/
> http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key