Re: Happy Familiy- SOCKS, Telnet, and IRC

[Nicholas Brawn <nickbrawn () ONETEL COM>]

On Fri, 10 Nov 2000 16:48:50 -0800
Crist Clark <crist.clark () GLOBALSTAR COM> wrote:

> Have something kind of neat here that I thought some of you out there
> might find interesting.
>
> I have been seeing SOCKS and Telnet scans from one host bouncing off
> of a firewall for some time. Here are the scans from this week,
>
>  9Oct2000  9:14:05   drop >hme0  tcp 203.101.17.225:41095 -> XXX.XXX.248.142:SOCKS 60
>  9Oct2000  9:14:05   drop >hme0  tcp 203.101.17.225:41096 -> XXX.XXX.248.142:telnet 60

<snip>

> The source is,
>
>   Name:    irc.one.net.au
>   Address:  203.101.17.225
>
> After much toying with logs and tons of AWK and Perl fun, I managed to
> correlate these attacks with outgoing IRC traffic from one host in our
> network. The servers being visited have some interesting features as
> well, but the machine scanning us was never visited. I am waiting to
> hear from some admin at the external sites before I post any of the odd
> stuff I noticed about the servers my user was going to, maybe in a
> later post.
>
> I assume there is some 'bot living on the scanning machine that hits
> people it sees on IRC channels. Anyone recognize the signature? I have
> not had any luck trying to track down other reports of such activity.

That would be our irc server doing proactive checks (as users log in) to check if users are bouncing off
wingate and/or open socks proxies. It is a commonplace practice across a number of irc networks.

Cheers,
Nick

> --
> Crist J. Clark                                Network Security Engineer
> crist.clark () globalstar com                    Globalstar, L.P.
> (408) 933-4387                                FAX: (408) 933-4926


--
Secure email preferred. PGP key available on request.
Phone: +61 2 9025 7571 || Email: nickbrawn () onetel com