|
Security Incidents
mailing list archives
Happy Familiy- SOCKS, Telnet, and IRC
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 10 Nov 2000 16:48:50 -0800
Have something kind of neat here that I thought some of you out there
might find interesting.
I have been seeing SOCKS and Telnet scans from one host bouncing off
of a firewall for some time. Here are the scans from this week,
9Oct2000 9:14:05 drop >hme0 tcp 203.101.17.225:41095 -> XXX.XXX.248.142:SOCKS 60
9Oct2000 9:14:05 drop >hme0 tcp 203.101.17.225:41096 -> XXX.XXX.248.142:telnet 60
12Oct2000 8:15:11 drop >hme0 tcp 203.101.17.225:45176 -> XXX.XXX.248.142:SOCKS 60
12Oct2000 8:15:11 drop >hme0 tcp 203.101.17.225:45177 -> XXX.XXX.248.142:telnet 60
17Oct2000 15:04:48 drop >hme0 tcp 203.101.17.225:34127 -> XXX.XXX.248.142:SOCKS 60
17Oct2000 15:04:48 drop >hme0 tcp 203.101.17.225:34128 -> XXX.XXX.248.142:telnet 60
18Oct2000 8:44:53 drop >hme0 tcp 203.101.17.225:55267 -> XXX.XXX.248.142:SOCKS 60
18Oct2000 8:44:53 drop >hme0 tcp 203.101.17.225:55268 -> XXX.XXX.248.142:telnet 60
20Oct2000 10:11:09 drop >hme0 tcp 203.101.17.225:56599 -> XXX.XXX.248.142:SOCKS 60
20Oct2000 10:11:09 drop >hme0 tcp 203.101.17.225:56600 -> XXX.XXX.248.142:telnet 60
20Oct2000 13:32:29 drop >hme0 tcp 203.101.17.225:47415 -> XXX.XXX.248.142:SOCKS 60
20Oct2000 13:32:29 drop >hme0 tcp 203.101.17.225:47416 -> XXX.XXX.248.142:telnet 60
30Oct2000 10:59:05 drop >hme0 tcp 203.101.17.225:41623 -> XXX.XXX.248.142:SOCKS 60
30Oct2000 10:59:05 drop >hme0 tcp 203.101.17.225:41624 -> XXX.XXX.248.142:telnet 60
30Oct2000 13:47:19 drop >hme0 tcp 203.101.17.225:50625 -> XXX.XXX.248.142:SOCKS 60
30Oct2000 13:47:19 drop >hme0 tcp 203.101.17.225:50626 -> XXX.XXX.248.142:telnet 60
31Oct2000 10:24:52 drop >hme0 tcp 203.101.17.225:57006 -> XXX.XXX.248.142:SOCKS 60
31Oct2000 10:24:52 drop >hme0 tcp 203.101.17.225:57007 -> XXX.XXX.248.142:telnet 60
31Oct2000 14:42:00 drop >hme0 tcp 203.101.17.225:45119 -> XXX.XXX.248.142:SOCKS 60
31Oct2000 14:42:00 drop >hme0 tcp 203.101.17.225:45120 -> XXX.XXX.248.142:telnet 60
31Oct2000 14:46:06 drop >hme0 tcp 203.101.17.225:45371 -> XXX.XXX.248.142:SOCKS 60
31Oct2000 14:46:06 drop >hme0 tcp 203.101.17.225:45372 -> XXX.XXX.248.142:telnet 60
1Nov2000 9:12:45 drop >hme0 tcp 203.101.17.225:48972 -> XXX.XXX.248.142:SOCKS 60
1Nov2000 9:12:45 drop >hme0 tcp 203.101.17.225:48973 -> XXX.XXX.248.142:telnet 60
2Nov2000 13:10:32 drop >hme0 tcp 203.101.17.225:34516 -> XXX.XXX.248.142:SOCKS 60
2Nov2000 13:10:32 drop >hme0 tcp 203.101.17.225:34517 -> XXX.XXX.248.142:telnet 60
3Nov2000 10:03:42 drop >hme0 tcp 203.101.17.225:39692 -> XXX.XXX.248.142:SOCKS 60
3Nov2000 10:03:42 drop >hme0 tcp 203.101.17.225:39693 -> XXX.XXX.248.142:telnet 60
3Nov2000 13:49:32 drop >hme0 tcp 203.101.17.225:56618 -> XXX.XXX.248.142:SOCKS 60
3Nov2000 13:49:32 drop >hme0 tcp 203.101.17.225:56619 -> XXX.XXX.248.142:telnet 60
The source is,
Name: irc.one.net.au
Address: 203.101.17.225
After much toying with logs and tons of AWK and Perl fun, I managed to
correlate these attacks with outgoing IRC traffic from one host in our
network. The servers being visited have some interesting features as
well, but the machine scanning us was never visited. I am waiting to
hear from some admin at the external sites before I post any of the odd
stuff I noticed about the servers my user was going to, maybe in a
later post.
I assume there is some 'bot living on the scanning machine that hits
people it sees on IRC channels. Anyone recognize the signature? I have
not had any luck trying to track down other reports of such activity.
--
Crist J. Clark Network Security Engineer
crist.clark () globalstar com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
 By Date 
By Thread
Current thread:
- Happy Familiy- SOCKS, Telnet, and IRC Crist Clark (Nov 13)
|
Intro
