Re: IRC, IM Proxy Implementations

[Mark Wilson <wilsodm () AUBURN EDU>]

Well, 100% of the boxes we have found with this sig have been
compromised. However, your point is well taken.  I would be interested
in others experiences.

> > > JAzoff () UAMAIL ALBANY EDU 9/8/2004 8:38:37 AM >>>
Mark Wilson wrote:
> Concerning port 113, regular scans of our network for port 113 has
> uncovered many bots.  One "tool" you may wish to use is expect.  I
have
> written an expect script that telnets into port 113 and performs a
<CR>
> to get the familiar:
>
> spawn telnet 131.204.x.x 113
> Trying 131.204.x.x ...
> Connected to 131.204.x.x.
> Escape character is '^]'.
>
>  : USERID : UNIX : ggdmlnfa
> ^]
> This confirms PC is Bot-ed.
>
> After scanning port 113, dump the IPs (with port 113 open) to a
file.
> The expect script reads the IP file to "automate" the process.
>
> Mark Wilson
> GCIA, CISSP #53153
> Network Security Specialist
> Auburn University
> (334) 844-9347

This is very similar to what my script does, I wrote a python wrapper
to
nmap, and then a module called "banners" which connects to each port
and
sends \n\n, then reads in the response.  Then another module has a
list
of bad banners.  Any host with a bad banner, gets its port disabled,
and
a ticket created.

Question for you though :-)  Right now the "USERID : UNIX" is not set
as
a bad banner, as I wasn't sure if any ligitimate irc client's ident
server had that signature.  Has using that criteria picked up any
false
positives for you?

--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.