Security Incidents mailing list archives

Re: Undernet/telnet attempts?


From: jlevy () IMNEVERWRONG COM (Jonathan Levy)
Date: Mon, 21 Feb 2000 20:01:48 -0500


IIRC Undernet doesn't check for eggdrops (on some servers they are allowed).

Taken from http://help.undernet.org/proxyscan/proxyadmin.html:

"The Undernet.org IRC network is now checking all users who attempt to
connect to our private network for insecure, exploitable Socks Proxy (4/5)
and Wingate servers.  This check is only done after a user attempts to
establish a connection to an Undernet.org IRC server."

if you do a /stats g on an Undernet server you'd notice a whole lot of
people "g-lined" for Wingate/proxy abuse.

What you are getting are attempts on ports 23 and 1080 (telnet and socks
firewall).  To my knowledge these don't seem too harmful, although I could
see someone 'spoofing' (as have been problems years ago on the Undernet) and
having some sort of code that would make the server think that someone is
trying to connect a whole lot... maybe that annoying throttle thing would
stop that.

Hope this helps...

-jonathan levy / equalize

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of SecOrg
Sent: Friday, February 18, 2000 7:51 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Undernet/telnet attempts?

I have gotten a number of telnet attempts/scans on my server from undernet
IRC hosts. A couple of the hosts were
dallas-r.tx.us.undernet.org
ProxyScan.MD.US.Undernet.Org

As the name implies, I am guessing they are scanning wingates/proxies,
etc for security/eggdrop reasons. Does anyone know if they scan all
incoming connections for telnet(wingate) ports?  And if so, why they would
try to connect to it afterwards? Maybe some kind of fingerprinting
technique that would find out if it is a open wingate?
Thank you,

Randy McClelland-Bane
@Harborside Technical Support
1-800-680-8855


Current thread: