Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IRC, IM Proxy Implementations

From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Wed, 8 Sep 2004 08:28:02 -0500
Concerning port 113, regular scans of our network for port 113 has
uncovered many bots.  One "tool" you may wish to use is expect.  I have
written an expect script that telnets into port 113 and performs a <CR>
to get the familiar:

spawn telnet 131.204.x.x 113
Trying 131.204.x.x ...
Connected to 131.204.x.x.
Escape character is '^]'.

 : USERID : UNIX : ggdmlnfa
^]
This confirms PC is Bot-ed.

After scanning port 113, dump the IPs (with port 113 open) to a file.
The expect script reads the IP file to "automate" the process.

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347


morrow.long () YALE EDU 9/3/2004 3:34:34 PM >>>

And usually if the PC is running a bogus identd/authd
at TCP port 113 you can connect to it over the network
with telnet or nc and hit return once or twice and get it
to give you a "canned" ident response (w/o sending it
a real request) which includes a very random looking
userid (such as vvrscxxz).

- H. Morrow Long, CISSP, CISM
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS


On Sep 3, 2004, at 8:22 AM, Justin Azoff wrote:


Brian Eckman wrote:


Phatbot (aka Polybot) versions were seen using stunnel to encrypt
traffic this past spring (March and April). The servers I found

were

apparently running stunnel on port 1331/tcp which is what the bots
talked to. stunnel then presumedly decrypted the traffic and passed

it

up to port 6667/tcp on the same host, which was the C&C IRCd.
Detection
was possible when the bots tried to spread to other hosts (then
looking
for 1331/tcp traffic to the controller once it was discovered).



I've found the easiest way to find them is to scan for 113: the

virus

is
dumb enough to start an ident server on the hacked machine.
a:
# nmap -p 113 --min_parallelism 100 --max_rtt_timeout 25

xx.xx.1.1/16


runs extremely fast and finds every irc "user".  Then all you have

to

do
is verify that that user has no idea what irc is.

I did a scan for 1331, and nothing is currently running on that port
here.  I wouldn't be surprised if that is an easily configurable

port

in
a script.


--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: Mark Wilson.vcf
Description:

Previous By Date Next
Previous By Thread Next

Current thread: