Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Happy Familiy- SOCKS, Telnet, and IRC

From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 10 Nov 2000 16:48:50 -0800
Have something kind of neat here that I thought some of you out there
might find interesting.

I have been seeing SOCKS and Telnet scans from one host bouncing off
of a firewall for some time. Here are the scans from this week,

 9Oct2000  9:14:05   drop >hme0  tcp 203.101.17.225:41095 -> XXX.XXX.248.142:SOCKS 60
 9Oct2000  9:14:05   drop >hme0  tcp 203.101.17.225:41096 -> XXX.XXX.248.142:telnet 60
12Oct2000  8:15:11   drop >hme0  tcp 203.101.17.225:45176 -> XXX.XXX.248.142:SOCKS 60
12Oct2000  8:15:11   drop >hme0  tcp 203.101.17.225:45177 -> XXX.XXX.248.142:telnet 60
17Oct2000 15:04:48   drop >hme0  tcp 203.101.17.225:34127 -> XXX.XXX.248.142:SOCKS 60
17Oct2000 15:04:48   drop >hme0  tcp 203.101.17.225:34128 -> XXX.XXX.248.142:telnet 60
18Oct2000  8:44:53   drop >hme0  tcp 203.101.17.225:55267 -> XXX.XXX.248.142:SOCKS 60
18Oct2000  8:44:53   drop >hme0  tcp 203.101.17.225:55268 -> XXX.XXX.248.142:telnet 60
20Oct2000 10:11:09   drop >hme0  tcp 203.101.17.225:56599 -> XXX.XXX.248.142:SOCKS 60
20Oct2000 10:11:09   drop >hme0  tcp 203.101.17.225:56600 -> XXX.XXX.248.142:telnet 60
20Oct2000 13:32:29   drop >hme0  tcp 203.101.17.225:47415 -> XXX.XXX.248.142:SOCKS 60
20Oct2000 13:32:29   drop >hme0  tcp 203.101.17.225:47416 -> XXX.XXX.248.142:telnet 60
30Oct2000 10:59:05   drop >hme0  tcp 203.101.17.225:41623 -> XXX.XXX.248.142:SOCKS 60
30Oct2000 10:59:05   drop >hme0  tcp 203.101.17.225:41624 -> XXX.XXX.248.142:telnet 60
30Oct2000 13:47:19   drop >hme0  tcp 203.101.17.225:50625 -> XXX.XXX.248.142:SOCKS 60
30Oct2000 13:47:19   drop >hme0  tcp 203.101.17.225:50626 -> XXX.XXX.248.142:telnet 60
31Oct2000 10:24:52   drop >hme0  tcp 203.101.17.225:57006 -> XXX.XXX.248.142:SOCKS 60
31Oct2000 10:24:52   drop >hme0  tcp 203.101.17.225:57007 -> XXX.XXX.248.142:telnet 60
31Oct2000 14:42:00   drop >hme0  tcp 203.101.17.225:45119 -> XXX.XXX.248.142:SOCKS 60
31Oct2000 14:42:00   drop >hme0  tcp 203.101.17.225:45120 -> XXX.XXX.248.142:telnet 60
31Oct2000 14:46:06   drop >hme0  tcp 203.101.17.225:45371 -> XXX.XXX.248.142:SOCKS 60
31Oct2000 14:46:06   drop >hme0  tcp 203.101.17.225:45372 -> XXX.XXX.248.142:telnet 60
 1Nov2000  9:12:45   drop >hme0  tcp 203.101.17.225:48972 -> XXX.XXX.248.142:SOCKS 60
 1Nov2000  9:12:45   drop >hme0  tcp 203.101.17.225:48973 -> XXX.XXX.248.142:telnet 60
 2Nov2000 13:10:32   drop >hme0  tcp 203.101.17.225:34516 -> XXX.XXX.248.142:SOCKS 60
 2Nov2000 13:10:32   drop >hme0  tcp 203.101.17.225:34517 -> XXX.XXX.248.142:telnet 60
 3Nov2000 10:03:42   drop >hme0  tcp 203.101.17.225:39692 -> XXX.XXX.248.142:SOCKS 60
 3Nov2000 10:03:42   drop >hme0  tcp 203.101.17.225:39693 -> XXX.XXX.248.142:telnet 60
 3Nov2000 13:49:32   drop >hme0  tcp 203.101.17.225:56618 -> XXX.XXX.248.142:SOCKS 60
 3Nov2000 13:49:32   drop >hme0  tcp 203.101.17.225:56619 -> XXX.XXX.248.142:telnet 60

The source is,

  Name:    irc.one.net.au
  Address:  203.101.17.225

After much toying with logs and tons of AWK and Perl fun, I managed to
correlate these attacks with outgoing IRC traffic from one host in our
network. The servers being visited have some interesting features as
well, but the machine scanning us was never visited. I am waiting to
hear from some admin at the external sites before I post any of the odd
stuff I noticed about the servers my user was going to, maybe in a
later post.

I assume there is some 'bot living on the scanning machine that hits
people it sees on IRC channels. Anyone recognize the signature? I have
not had any luck trying to track down other reports of such activity.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
Previous By Date Next
Previous By Thread Next

Current thread: