[kwlug-disc] IPCop (and friends) vs hardware router

Andrew Kohlsmith (Mailing List Account) aklists at mixdown.ca
Fri Jun 19 00:26:12 EDT 2009 

On June 18, 2009 09:12:43 pm Paul Nijjar wrote:
> The most they are telling us is that we have IRC bots, and that they
> always seem to connect to a certain port. So my inclination is to
> block all and any traffic on that port, which IPCop could not do
> easily. Hence my cry for help.

When I am confronted with traffic patterns that don't "feel" right, I turn to 
tcpdump. You may find wireshark better though.

I start by filtering out all traffic that I know is fine... something like

tcpdump -ni ppp0 not port 22 and not port 25 and not port 110 and not port 143 
and not port 80 and not port 443 ...

you get the idea.  What gets through is stuff I wasn't really expecting to see, 
and I start weeding out the stuff that I didn't know I didn't care about... MSN 
traffic, secure IMAP, etc.

After a few iterations of this, I'm left with traffic that I'm starting to get 
curiouser and curiouser about.  That's how I discovered an IRC bot on one of 
my friend's servers. You usually see port 6660-6669 for that.

Turned out I had found a bunch of Romanian hackers who were trying to find 
credit card info by breaking in to vulnerable SQL (mysql and mssql mostly).  I 
joined their network from a "safe" computer (not affiliated with any of my 
networks, and running only ssh) and after some tense network probing and 
questioning, I was able to convince them I wasn't a cop and was technical 
enough to be cool. (odd world, innit?) They showed me some of the stuff they 
were in to, how they did their stuff, and in the end I got an invite to party 
with them when I visited Bucharest.

I did go to Bucharest, but didn't have time to meet up with the sketchy 
Romanian hackers. I'm not so sure I would have wanted to meet them in person 
on their home turf, either. My Romanian is far worse than my German and even 
French, and neither of those can get me much past asking for a coffee or the 
toilet. I think "terog nu ma omori" is about as much as I can muster, aside 
from all the bad words my wife has taught me.  :-)

Anyway -- wireshark's a lot more powerful than tcpdump, and its protocol and 
stream dissectors can satisfy your packet curiosity far better than tcpdump 
can. I never seem to use it, though, as it seems that I'm "wired" for 
tcpdump's filter syntax. And I am just not *that* curious about my network all 
that often.

-A.

More information about the kwlug-disc mailing list