IRC traffic on non standard ports
I am always quite fond of IDS signatures that look for results of compromise, versus attack attempts. This may sound a bit fatalistic, as these signatures are only triggered after the attack succeeded, but on the other hand, these alerts are actionable and can be tuned better then some of the attack attempts (most of which don't succeed and don't provide a lot of actionable information).
Today, a reader wrote in with a nice detect of "NICK traffic on a non standard port".
Lets explain IRC a bit: IRC is a simple, text based online chat protocol [1], and it is used frequently to control botnets. To prevent simple port based detection, many malicious IRC servers run on odd ports. But the IRC traffic payload can be quite characteristic and easy to spot.
As the user connects to an IRC server, it will set a nick name. This is done via a "NICK" command. In addition, the USER command is used to set a user name. a USER and a NICK command have to be sent to connect to a server, and they are usually sent one after the other.
NICK something USER something else
The reader's IDS captured a single packet due to this signature. The content (slightly obfuscated) was:
NICK {USA|XPa}abcdefg USER abcdefg
These random strings with specific prefixes are typical for bot C&C, and finding a string like this would make me almost certainly look a lot closer at this particular system.
[1] http://www.irchelp.org/irchelp/text/rfc1459.txt
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
For example, DALnet uses port 7000, 6660-6669, 9000, 5500, and 7325 are also some common choices.
You can't tell if an IRC server is designed to be malicious solely based on port number; but if you see an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be malicious, the only real reason for IRCD to be running on port 80 is to try to evade firewalls.
IRC servers run on high-numbered ports so the daemon doesn't have to run as root.
Mysid
Aug 4th 2011
1 decade ago
Jan 27 04:46:33 myserver sshd[2346]: Bad protocol version identification 'NICK [USA]WINXP-10043' from 111.222.333.444
this was from a shell user tunnelling http traffic over a ssh connection.
joeblow
Aug 4th 2011
1 decade ago
Lee
Aug 5th 2011
1 decade ago
dayton
Aug 5th 2011
1 decade ago
@joeblow: This looks more like someone trying to connect to an SSH server using an IRC client. Does your ssh server run on an off port?
Dr. J
Aug 5th 2011
1 decade ago