[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: port 3072
From:       Marcel Cotta <Ampire () MYREALBOX ! COM>
Date:       2001-01-16 19:01:00
[Download RAW message or body]

Boothman wrote:

 > Does anyone know about scans to port 3072 using a
 > source port of 6667-6669?  Is this a known IRCU
 > scanning tool?
 >
 > __________________________________________________
 > Do You Yahoo!?
 > Get email at your own domain with Yahoo! Mail.
 > http://personal.mail.yahoo.com/



ports 6667-6669 are the standard ports of an irc server
port 3072 is often used for proxys or socks

there are 3 possible scenarios:

1. someone is scanning for open socks and uses source ports normal irc
servers
    use to avoid a firewall drop for non "irc like" ports (6666-6669)

2. someone set up a backdoor on port 3072 and scans from 6667-6669 to
    not look suspicious to ids, firewall or admin

3. maybe the scans you see are just some irc servers checking for a
socks server.
    many irc server do a check when you connect to them and auto kline
(gline)
    since socks and proxys are often abused for spam, flooding,
harassment etc.
    though this is very unlikely since ive never seen an irc server
doing a sock scan from 6667-6669

hope it helped a bit

--

Paranoia Is Just Reality Seen On A Finer Scale

Ampire@myrealbox.com
Marcel Cotta

[prev in list] [next in list] [prev in thread] [next in thread]