Re: IRC, IM Proxy Implementations

[Justin Azoff <JAzoff () UAMAIL ALBANY EDU>]

Mark Wilson wrote:
> Concerning port 113, regular scans of our network for port 113 has
> uncovered many bots.  One "tool" you may wish to use is expect.  I have
> written an expect script that telnets into port 113 and performs a <CR>
> to get the familiar:
>
> spawn telnet 131.204.x.x 113
> Trying 131.204.x.x ...
> Connected to 131.204.x.x.
> Escape character is '^]'.
>
>  : USERID : UNIX : ggdmlnfa
> ^]
> This confirms PC is Bot-ed.
>
> After scanning port 113, dump the IPs (with port 113 open) to a file.
> The expect script reads the IP file to "automate" the process.
>
> Mark Wilson
> GCIA, CISSP #53153
> Network Security Specialist
> Auburn University
> (334) 844-9347

This is very similar to what my script does, I wrote a python wrapper to
nmap, and then a module called "banners" which connects to each port and
sends \n\n, then reads in the response.  Then another module has a list
of bad banners.  Any host with a bad banner, gets its port disabled, and
a ticket created.

Question for you though :-)  Right now the "USERID : UNIX" is not set as
a bad banner, as I wasn't sure if any ligitimate irc client's ident
server had that signature.  Has using that criteria picked up any false
positives for you?

--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.