Intrusion Detection FAQ: Port 1080 and 23, and IRC Server Signature

Tim White has mapped the behavior of a number of IRC servers. Feel free to write handler@incidents.org with additional patterns.

I get about 20-500 of these a week, depending on how much IRC traffic we have. Not all irc servers generate the traffic, and the irc servers I see generating the traffic do not follow a pattern when scanning. It is quite odd. 

unet.chatsystems.com

Dec 22 10:33:22 irc[20436]: connect host=unknown/172.16.140.52

destination=206.138.230.200/6667

Dec 22 10:33:30 tn-gw[20454]: deny host=unknown/206.138.230.251 use of proxy

Dec 22 10:33:30 unix: securityalert: tcp if=hme1 from 206.138.230.251:4878

to inetgw on unserved port 1080

starchat.net

Dec 23 13:53:39 irc[998]: connect host=unknown/172.16.57.138

destination=208.213.162.254/6667

Dec 23 13:53:39 unix: securityalert: tcp if=hme1 from 208.213.162.254:3343

to inetgw on unserved port 1080

starchat.net

Dec 24 16:05:38 irc[27541]: connect host=unknown/172.16.57.138

destination=208.213.162.254/6667

Dec 24 16:05:38 unix: securityalert: tcp if=hme1 from 208.213.162.254:4000

to inetgw on unserved port 1080

WebChat.MD.US.Undernet.Org

Dec 27 13:23:13 tn-gw[5979]: deny host=unknown/207.114.24.98 use of proxy

Dec 27 13:23:13 unix: securityalert: tcp if=hme1 from 207.114.24.98:2582 to

inetgw on unserved port 1080

unknown

Dec 28 16:02:16 irc[29239]: connect host=unknown/162.89.184.175

destination=209.133.28.38/6667

Dec 28 16:02:19 unix: securityalert: tcp if=hme1 from 209.133.28.38:1156 to

inetgw on unserved port 1080

Dec 28 16:02:19 unix: securityalert: tcp if=hme1 from 209.133.28.38:1156 to

inetgw on unserved port 1080

Dec 28 16:02:20 unix: securityalert: tcp if=hme1 from 209.133.28.38:1156 to

inetgw on unserved port 1080

unknown

Dec 28 16:52:21 irc[5749]: connect host=unknown/172.16.175.184

destination=209.133.28.38/6667

Dec 28 16:52:25 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to

inetgw on unserved port 1080

Dec 28 16:52:25 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to

inetgw on unserved port 1080

Dec 28 16:52:26 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to

inetgw on unserved port 1080

Dec 28 16:52:27 unix: securityalert: tcp if=hme1 from 209.133.28.38:2923 to

inetgw on unserved port 1080

unknown

Dec 29 15:13:56 irc[10049]: connect host=unknown/172.16.175.184

destination=209.133.28.38/6667

Dec 29 15:13:57 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to

inetgw on unserved port 1080

Dec 29 15:13:57 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to

inetgw on unserved port 1080

Dec 29 15:13:58 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to
inetgw on unserved port 1080

Dec 29 15:13:59 unix: securityalert: tcp if=hme1 from 209.133.28.38:2328 to

inetgw on unserved port 1080

starchat.net

Dec 30 01:19:36 irc[5212]: connect host=unknown/172.16.57.138

destination=208.213.162.254/6667

Dec 30 01:19:36 unix: securityalert: tcp if=hme1 from 208.213.162.254:2180

to inetgw on unserved port 1080

SANS has opened my eyes to things I never would have considered on my own research.
-Doug Wells, Media General, Inc.

SANSFIRE 2013 - Washington

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

New blog post by @yorikv on pen test tips for file analysis. [...]
May 16, 2013 - 5:07 PM

New Blog Post: SANS EU #DFIR Summit in Prague - Call for Spe [...]
May 16, 2013 - 12:33 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP