I've noticed the following ircd connections in tcpdump, and wondered why my box was communicating to an IRC server (and vice versa). When I use an IRC client to connect to 64.35.57.81:6667, I log on to a jade.va.us.dal.net server. So I check for the existence of jade.va.us.dal.net at http://www.irchelp.org/irchelp/networks/servers/dalnet.html and it's there.
----- 14:59:57.971119 64.35.57.81.ircd > 202.7.95.227.2916: P 841:867(26) ack 701 win 7060 <nop,nop,timestamp 3640386803 26431156> (DF) 14:59:57.971119 202.7.95.227.2916 > 64.35.57.81.ircd: P 701:726(25) ack 867 win 10300 <nop,nop,timestamp 26441096 3640386803> (DF) 14:59:58.281119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 726 win 7060 <nop,nop,timestamp 3640386834 26441096> (DF) 15:00:27.421119 202.7.95.227.64623 > 205.188.9.159.11952: P 3870:3876(6) ack 6100 win 9089 (DF) 15:00:27.901119 205.188.9.159.11952 > 192.168.0.8.4955: . ack 3877 win 16384 (DF) 15:01:38.181119 64.35.57.81.ircd > 202.7.95.227.2916: P 867:893(26) ack 726 win 7060 <nop,nop,timestamp 3640396825 26441096> (DF) 15:01:38.181119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 win 10300 <nop,nop,timestamp 26451117 3640396825> (DF) 15:01:38.721119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 win 10300 <nop,nop,timestamp 26451171 3640396825> (DF) 15:01:39.001119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 751 win 7060 <nop,nop,timestamp 3640396907 26451171> (DF) ----- This seems to be a newly formed IRC server, with a missing MOTD, 4 channels, with weird looking users like "infCATBON" "infWHGIMQ" "infUILYIP" and "LMLMLMLM" in the 3 available channels (using /list), with user uptimes of 173hrs 10mins 38secs, a compile date of Thu Nov 21 2002 at 04:24:17 EST using Unreal3.2-Selene[beta12] which is described to be a derivitive of a former IRCd used by DALnet from http://www.unrealircd.com/about.html. One of the users had a logon date of Fri Nov 22 12:11:40. I log on to another listed DALnet IRC server - dingo.vic.au.dal.net:6667. This looks like a real and/or active DALnet server: There are 1290 users and 79286 invisible on 22 servers 68 IRC Operators online 33188 channels formed I have 2208 clients and 1 servers - Current local users: 2208 Max: 3504 Current global users: 80576 Max: 96604 Question -------- Why would my box try to talk to this server ? The server compile (21 Nov) and user logon (22 Nov) times seem to nearly coincide with a recent DoS attack against my machine on the 23 Nov and 25 Nov. I've been monitoring my ppp0 traffic very closely lately and haven't noticed any auto-startup initiated DoS ie. my machine seems quiet and humble as normal when the ADSL is online when I use the net. If my box is compromised, then the DoS attacks could be command triggered. Could I be talking to the bots on this "new" DALnet server ? Also DALnet is predominantly US-based. And I have reserved suspicions that the attackers are in the US. What do people think ? -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
