Re: Undernet/telnet attempts?

[p.foreman () PLANETINTERNET NL (Peter Foreman)]

Hi,

since I'm an admin of a Undernet IRC server, I would like to give some
details on this.

The proxyscanner is a seperate "server" which is connected to the network
and
every time it gets a "NICK" message it scans that host.  Of course, you know
that a network that carries over 50.000 users can have some lag in the
scanning,
so that's why the scanning can take place afterwards..  Really, the scanning
is
ONLY and ONLY done when the scanner receives a new NICK on the network, so
that
means your box HAS to be connected (or HAD to connect at some time) to the
network.  And yes, Danny and Angel are right :)

It scans for insecure wingates (prolly the Wingate> prompt at port 23, dunno
much about
the scanner itself) and open proxies (port 1080).  I don't really see the
problem
with it as it obviously makes the network security better.

Peter Foreman
Planet Internet / ICT Operations
Tel.: (+31)-(0)33-4540502
Fax.: (+31)-(0)33-4540408
E-mail: p.foreman () planetinternet nl

-----Original Message-----
From: Stephen Cooper [mailto:Stephen.Cooper () BIS ORG]
Sent: Thursday, March 09, 2000 11:25 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Undernet/telnet attempts?

Hello,

I recently left a large middle eastern country (I do not wish to be
inflamatory, so I will not name it in a public forum), having experienced
certain phenomena there, your email makes me smile!!!!

In that country the Internet backbone is concealed behind a massive firewall
and a bank of Squid proxy servers, which blocks ports 80 and 443. Not many
people outside will see much of what I will describe.

However, should you dial-in to a local ISP (of which there are a lot) and be
running a tool such as Back Officer Friendly or BlackICE or equivalent, you
will be absolutely bombarded by telnet attempts, backorifice probes, ping
scans , port scans and on and on. You do not need to be running. All coming
from Dial-up users connected to that backbone via various ISPs. Its kind of
disturbing when you first see it, but you get used to it and there is very
little you can do about it.

It kind of puts a minor thing like you describe into perspective.

This email expresses personal opinions that absolutely no relation to my
current occupation.

Regards, Stephen.

> > > "Tibor, Mike" <tibor () LIB UAA ALASKA EDU> 02/23/00 02:06am >>>
On Fri, 18 Feb 2000, SecOrg wrote:

> I have gotten a number of telnet attempts/scans on my server from undernet
> IRC hosts. A couple of the hosts were
> dallas-r.tx.us.undernet.org
> ProxyScan.MD.US.Undernet.Org
>
> As the name implies, I am guessing they are scanning wingates/proxies,
> etc for security/eggdrop reasons. Does anyone know if they scan all
> incoming connections for telnet(wingate) ports?  And if so, why they would
> try to connect to it afterwards? Maybe some kind of fingerprinting
> technique that would find out if it is a open wingate?

I've experienced those probes myself, and in email exchanges with the
technical contacts (angel111 () ns2 cetlink net, danny () chatsystems com,
abuse () undernet org, noc () u1 abs net), they vehemently claim to only probe
each machine when it makes an IRC connection to them (ie, the incoming IRC
connection triggers the probe)

The problem *I* have with it is that when I confronted them they couldn't
produce any evidence my server ever made those connections--they
apparently don't keep any logs.  In my case it's rather interesting as
only 4 people other than myself have shell access to my server, and none
of us has *ever* done any IRC activity from it (and I'm also confident it
hasn't been rooted).

Mike

--
Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
LAN Technician     Consortium Library             (907) 786-6050 fax
tibor () lib uaa alaska edu       http://www.lib.uaa.alaska.edu/~tibor/
http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key

DISCLAIMER: Any e-mail messages from the Bank for International Settlements
are sent in good faith, but shall not be binding nor construed as
constituting any obligation on the part of the Bank.

CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which
is intended only for the use of the recipient(s) named above. If you have
received this communication in error, please notify the sender immediately
via e-mail and return the entire message. Thank you for your assistance.