[kwlug-disc] IPCop (and friends) vs hardware router
Andrew Kohlsmith (Mailing List Account)
aklists at mixdown.ca
Fri Jun 19 00:26:12 EDT 2009
On June 18, 2009 09:12:43 pm Paul Nijjar wrote:
> The most they are telling us is that we have IRC bots, and that they
> always seem to connect to a certain port. So my inclination is to
> block all and any traffic on that port, which IPCop could not do
> easily. Hence my cry for help.
When I am confronted with traffic patterns that don't "feel" right, I turn to
tcpdump. You may find wireshark better though.
I start by filtering out all traffic that I know is fine... something like
tcpdump -ni ppp0 not port 22 and not port 25 and not port 110 and not port 143
and not port 80 and not port 443 ...
you get the idea. What gets through is stuff I wasn't really expecting to see,
and I start weeding out the stuff that I didn't know I didn't care about... MSN
traffic, secure IMAP, etc.
After a few iterations of this, I'm left with traffic that I'm starting to get
curiouser and curiouser about. That's how I discovered an IRC bot on one of
my friend's servers. You usually see port 6660-6669 for that.
Turned out I had found a bunch of Romanian hackers who were trying to find
credit card info by breaking in to vulnerable SQL (mysql and mssql mostly). I
joined their network from a "safe" computer (not affiliated with any of my
networks, and running only ssh) and after some tense network probing and
questioning, I was able to convince them I wasn't a cop and was technical
enough to be cool. (odd world, innit?) They showed me some of the stuff they
were in to, how they did their stuff, and in the end I got an invite to party
with them when I visited Bucharest.
I did go to Bucharest, but didn't have time to meet up with the sketchy
Romanian hackers. I'm not so sure I would have wanted to meet them in person
on their home turf, either. My Romanian is far worse than my German and even
French, and neither of those can get me much past asking for a coffee or the
toilet. I think "terog nu ma omori" is about as much as I can muster, aside
from all the bad words my wife has taught me. :-)
Anyway -- wireshark's a lot more powerful than tcpdump, and its protocol and
stream dissectors can satisfy your packet curiosity far better than tcpdump
can. I never seem to use it, though, as it seems that I'm "wired" for
tcpdump's filter syntax. And I am just not *that* curious about my network all
More information about the kwlug-disc