[kwlug-disc] Mysterious filtered ports on a server

[B. S.]

On 10/26/2016 02:40 PM, Paul Nijjar via kwlug-disc wrote:
>
> Script kiddies install IRC on compromised machines, and then use it to
> check into command and control servers. Rogers has (had?) deep packet
> inspection that would sniff out this traffic.

I have no reason to believe they have or ever will stop this practice.

> We got caught by this, and then Rogers shut us down. Fair enough,
> except that Rogers refused to give us any information (including the
> remote IP!) about the problematic connection. When we begged for some
> information to help us troubleshoot, they told us that they were not
> responsible for managing our network.

Been here, through this. What a pile of BS.

All I wanted to know was what did they detect so I knew what to look for 
internally. Zip. Zero. Nada. After many hours on the phone, painfully 
traversing down to 3rd level support - to the people with access to the 
original report details. They still wouldn't / couldn't tell me. (They 
don't keep such logs for even two weeks? IIRC.)

Rogers had shut down a friend, and asked me to help, including 
authorizing me to be authoritative on their account.

Turned out ... one computer had had a virus, but the virus scanner had 
since updated and wiped out the virus. So I chased my tail for far too 
long looking for something that was no longer there.

However, Rogers does have / was able to add me to the notifications / 
contact list for the technical details should it happen again. (So I 
would know what to look for, next time.) Not that I really believed they 
would, YMMV, I suppose.

Never heard from them again. (As, AFAIK, there were never any subsequent 
issues.)

> So we just shut down IRC
> traffic. That does not solve the problem of our networks being
> infected (which we have tried to address in other ways) but at least
> it gets Rogers off our backs.

I wouldn't have expected so. IRC being a protocol, not a port, able to 
occur over any port. (But, agreed, one has to shut down the ports, at a 
minimum.)

Just like shutting down the well known ports for torrent, vpn, facebook, 
whatever, is substantially pointless. They just hop to another port. Not 
preventable, especially if determined.

I believe the only real way to deal with such is through http proxies, 
small list of from ports in one's firewall, and deep packet inspectors - 
the latter of which is usually far too cost prohibitive to acquire.

And as soon as you limit the ports from which internal traffic can come 
from, the user screams become intolerable to upper management, and I.T. 
is forced to remove the limits.

Placing I.T. between a rock and a hard place, and all around just beat 
before the get go.

> Of course, this was the bad old days. Supposedly Rogers is much more
> accomodating now, and people never ever end up in tears after making
> service calls to the company. I know this because they spam our
> business account telling us how much they have improved.

Paul, I know a guy who knows a guy who has some property in Florida for 
sale ... interested?