Who is Using Cyberthreat Intel & How? Take Survey - Enter to Win iPad

Intrusion Detection FAQ: Port 1080 and 23, and IRC Server Signature

Tim White has mapped the behavior of a number of IRC servers. Feel free to write handler@incidents.org with additional patterns.

I get about 20-500 of these a week, depending on how much IRC traffic we have. Not all irc servers generate the traffic, and the irc servers I see generating the traffic do not follow a pattern when scanning. It is quite odd.

unet.chatsystems.com
Dec 22 10:33:22 irc[20436]: connect host=unknown/172.16.140.52
destination=206.138.230.200/6667
Dec 22 10:33:30 tn-gw[20454]: deny host=unknown/206.138.230.251 use of proxy
Dec 22 10:33:30 unix: securityalert: tcp if=hme1 from 206.138.230.251:4878
to inetgw on unserved port 1080
starchat.net
Dec 23 13:53:39 irc[998]: connect host=unknown/172.16.57.138
destination=208.213.162.254/6667
Dec 23 13:53:39 unix: securityalert: tcp if=hme1 from 208.213.162.254:3343
to inetgw on unserved port 1080
starchat.net
Dec 24 16:05:38 irc[27541]: connect host=unknown/172.16.57.138
destination=208.213.162.254/6667
Dec 24 16:05:38 unix: securityalert: tcp if=hme1 from 208.213.162.254:4000
to inetgw on unserved port 1080
WebChat.MD.US.Undernet.Org
Dec 27 13:23:13 tn-gw[5979]: deny host=unknown/207.114.24.98 use of proxy
Dec 27 13:23:13 unix: securityalert: tcp if=hme1 from 207.114.24.98:2582 to
inetgw on unserved port 1080
unknown
Dec 28 16:02:16 irc[29239]: connect host=unknown/162.89.184.175
destination=209.133.28.38/6667
Dec 28 16:02:19 unix: securityalert: tcp if=hme1 from 209.133.28.38:1156 to
inetgw on unserved port 1080
Dec 28 16:02:19 unix: securityalert: tcp if=hme1 from 209.133.28.38:1156 to
inetgw on unserved port 1080
Dec 28 16:02:20 unix: securityalert: tcp if=hme1 from 209.133.28.38:1156 to
inetgw on unserved port 1080
unknown
Dec 28 16:52:21 irc[5749]: connect host=unknown/172.16.175.184
destination=209.133.28.38/6667
Dec 28 16:52:25 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to
inetgw on unserved port 1080
Dec 28 16:52:25 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to
inetgw on unserved port 1080
Dec 28 16:52:26 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to
inetgw on unserved port 1080
Dec 28 16:52:27 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to
inetgw on unserved port 1080
unknown
Dec 29 15:13:56 irc[10049]: connect host=unknown/172.16.175.184
destination=209.133.28.38/6667
Dec 29 15:13:57 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to
inetgw on unserved port 1080
Dec 29 15:13:57 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to
inetgw on unserved port 1080
Dec 29 15:13:58 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to inetgw on unserved port 1080
Dec 29 15:13:59 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to
inetgw on unserved port 1080
starchat.net
Dec 30 01:19:36 irc[5212]: connect host=unknown/172.16.57.138
destination=208.213.162.254/6667
Dec 30 01:19:36 unix: securityalert: tcp if=hme1 from 208.213.162.254:2180
to inetgw on unserved port 1080