bopm = virus :p
Just got this email from the network admin of my home network, some random guy I don’t know, and my director all at the same time.
Forwarded from netadmin above me:
PSCs,
We got an external report that claims (ip of my ircd-host, removed) was allegedly
sending viruses to hosts on the 199.17.x.x net block on 15 Feb 2007
between 22:03:50 and 22:04:12.If you could, please check out this machine for any signs of compromise
and let us know if you find anything.Thanks,
This got filtered through a netadmin and two layers of management, and then to me. Here’s my reply.
The “victim” in question is 199.17.xxx.xxx. From a brief glimpse at the
logs, I’m guessing they’re an infrequent visitor to www.gotwoot.net (a
community that I co-administer).At the time in question, the user visited www.gotwoot.net and clicked on
the “irc” link, which sent this request:(from the apache access log on www.gotwoot.net)
————————————————————————
199.17.xxx.xxx – - [15/Feb/2007:21:03:07 -0600] “GET /irc/eirc_en.class
HTTP/1.1″ 200 23791 “-” “Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_07″
————————————————————————That got the user a copy of the irc web client applet from that site,
which in turn ran in the user’s browser and attempted to connect to
irc.gotwoot.net, which currently points at (ip of my ircd-host).(ip of my ircd-host) runs freebsd 6.1, unrealircd 3.2.6 and blitzed open
proxy monitor, and hosts a very small irc network for the community.
It’s there as a personal side-project, and has no other roles (apart
from dust collection).One of two scenarios happened, and I can’t confirm which because I don’t
keep detailed logs on the ircd or bopm:Either (1) the user initiated a connection, and their campus firewall
caught it and blocked it (since many places don’t allow irc traffic), or
(2) the user initiated a connection, which made it to the ircd, and bopm
scanned them for an open proxies. Currently, bopm scans for HTTP GET,
HTTP POST, SOCKS4, SOCKS5, ROUTER or WINGATE proxy, spanning ports 23,
80, 8080, 3128, 6588, and 1080. This is the bopm default scan.Either way, the traffic in question was initiated by the user, and no
viruses or system compromises were involved in the making of this non-event.Questions? Comments?
Moral of the story: running an ircd is more trouble than it’s worth, and overzealous netadmins don’t know the difference between a bopm scan and a real scan.
Way I see it, one of two things could reasonably happen here. Either that’s the end of it, or they ask me to stop and I move to running an ircd on my home connection (and cap bittorrent a little lower :p).
I think I’m gonna make preparations for the second, just in case.