Security Incidents mailing list archives

Re: Happy Familiy- SOCKS, Telnet, and IRC

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Sun, 12 Nov 2000 14:10:55 -0500

On Fri, 10 Nov 2000 16:48:50 PST, Crist Clark <crist.clark () GLOBALSTAR COM>  said:

  Name:    irc.one.net.au
  Address:  203.101.17.225

After much toying with logs and tons of AWK and Perl fun, I managed to
correlate these attacks with outgoing IRC traffic from one host in our
network. The servers being visited have some interesting features as
well, but the machine scanning us was never visited. I am waiting to


Several of the IRC networks (DALnet for one) will scan your SOCKS port
before allowing you to connect, to make sure that you are in fact you
and not somebody using your mis-configured SOCKS port to launder their
connection.  I suspect they intentionally scan from a server other than
the one you connected from, in case your SOCKS is configured to allow
connections from a machine you're already talking to...

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Happy Familiy- SOCKS, Telnet, and IRC Crist Clark (Nov 13)
- Re: Happy Familiy- SOCKS, Telnet, and IRC Nicholas Brawn (Nov 13)
- Re: Happy Familiy- SOCKS, Telnet, and IRC Valdis Kletnieks (Nov 13)