|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Marcel Cotta (Ampire
MYREALBOX.COM)Date: Tue Jan 16 2001 - 13:01:00 CST
Boothman wrote:
> Does anyone know about scans to port 3072 using a
> source port of 6667-6669? Is this a known IRCU
> scanning tool?
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
ports 6667-6669 are the standard ports of an irc server
port 3072 is often used for proxys or socks
there are 3 possible scenarios:
1. someone is scanning for open socks and uses source ports normal irc
servers
use to avoid a firewall drop for non "irc like" ports (6666-6669)
2. someone set up a backdoor on port 3072 and scans from 6667-6669 to
not look suspicious to ids, firewall or admin
3. maybe the scans you see are just some irc servers checking for a
socks server.
many irc server do a check when you connect to them and auto kline
(gline)
since socks and proxys are often abused for spam, flooding,
harassment etc.
though this is very unlikely since ive never seen an irc server
doing a sock scan from 6667-6669
hope it helped a bit
--Paranoia Is Just Reality Seen On A Finer Scale
Ampire
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]