Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Wed, 8 Sep 2004 08:28:02 -0500
Concerning port 113, regular scans of our network for port 113 has uncovered many bots. One "tool" you may wish to use is expect. I have written an expect script that telnets into port 113 and performs a <CR> to get the familiar: spawn telnet 131.204.x.x 113 Trying 131.204.x.x ... Connected to 131.204.x.x. Escape character is '^]'. : USERID : UNIX : ggdmlnfa ^] This confirms PC is Bot-ed. After scanning port 113, dump the IPs (with port 113 open) to a file. The expect script reads the IP file to "automate" the process. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
morrow.long () YALE EDU 9/3/2004 3:34:34 PM >>>
And usually if the PC is running a bogus identd/authd at TCP port 113 you can connect to it over the network with telnet or nc and hit return once or twice and get it to give you a "canned" ident response (w/o sending it a real request) which includes a very random looking userid (such as vvrscxxz). - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS On Sep 3, 2004, at 8:22 AM, Justin Azoff wrote:
Brian Eckman wrote:Phatbot (aka Polybot) versions were seen using stunnel to encrypt traffic this past spring (March and April). The servers I found
were
apparently running stunnel on port 1331/tcp which is what the bots talked to. stunnel then presumedly decrypted the traffic and passed
it
up to port 6667/tcp on the same host, which was the C&C IRCd. Detection was possible when the bots tried to spread to other hosts (then looking for 1331/tcp traffic to the controller once it was discovered).I've found the easiest way to find them is to scan for 113: the
virus
is dumb enough to start an ident server on the hacked machine. a: # nmap -p 113 --min_parallelism 100 --max_rtt_timeout 25
xx.xx.1.1/16
runs extremely fast and finds every irc "user". Then all you have
to
do is verify that that user has no idea what irc is. I did a scan for 1331, and nothing is currently running on that port here. I wouldn't be surprised if that is an easily configurable
port
in a script. -- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
Mark Wilson.vcf
Description:
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
(Thread continues...)