Re: Upload of "pipes.scr" attempted to NetBus "honeypot"

From: Sverre H. Huseby (shhat_private)
Date: Mon Jun 04 2001 - 13:06:53 PDT

  • Next message: Alvin Oga: "Re: another rootkit - one more file (fwd)"

    [ This is a repost: I didn't find this message in the archives, so I
      suspect it disappeared during your mail trouble some time back.  Of
      course it may have been moderated away, in that case please excuse
      me for bothering you again. :) ]
    
    This is a follow up to a message sent by me on 2001-01-24.  As it has
    been a long time, I quote most of the original message:
    
    |   Last week I wrote a simple daemon that accepts incoming connections to
    |   TCP port 12345, and announces itself as "NetBus 1.60".  The program
    |   simply logs the first command sent by the client, and attempts to send
    |   a warning message to the bad guy in the other end.  [...]
    |   
    |   The last six days I've had three connections to my daemon when online
    |   using my dialup ISDN connection.  All three comes from the same ISP as
    |   I connect to.  What follows are the relevant log lines (Norwegian
    |   times):
    |   
    |   2001-01-18 15:24:34  server running on 130.67.238.181:12345
    |   2001-01-18 16:00:25  [130.67.238.126:3388]  accepted connection
    |   2001-01-18 16:00:25  [130.67.238.126:3388]  "UploadFile;pipes.scr;10000;\"
    |   2001-01-18 16:00:26  [130.67.238.126:3388]  client disconnected
    |   
    |   2001-01-18 22:31:40  server running on 130.67.123.106:12345
    |   2001-01-18 23:13:00  [130.67.123.85:1448]  accepted connection
    |   2001-01-18 23:13:01  [130.67.123.85:1448]  "UploadFile;pipes.scr;10000;\"
    |   2001-01-18 23:13:01  [130.67.123.85:1448]  warning message sendt
    |   2001-01-18 23:13:01  [130.67.123.85:1448]  client disconnected
    |   
    |   2001-01-24 20:04:11  server running on 130.67.215.213:12345
    |   2001-01-24 20:04:30  [130.67.215.250:1205]  accepted connection
    |   2001-01-24 20:04:30  [130.67.215.250:1205]  "UploadFile;pipes.scr;10000;\"
    |   2001-01-24 20:04:30  [130.67.215.250:1205]  warning message sendt
    |   2001-01-24 20:04:33  [130.67.215.250:1205]  client disconnected
    |   
    |   The ISP issues addresses dynamically, so I have no idea whether the
    |   connections are from the same person.  [...]
    |   
    |   Ok, what I see is what seems to be three attempts on uploading a file
    |   called "pipes.scr" to my computer.  I do not know NetBus at all, so I
    |   don't know if the almost immediate upload attempt after connecting
    |   (see time stamps) is normal NetBus behavior, or if it indicates some
    |   kind of a script.  If the NetBus client is running a script, it _may_
    |   be that the owner of the misbehaving computer is unaware of what is
    |   going on.  [...]
    
    I reported the first four incidents as computer crime to the local
    police.  After several weeks, a nice investigator called me and told
    me approximately that "the upload attempts come from all over the
    country, and from different kinds of households (kids, no kids, etc.)".
    
    It is at least not a single person who is doing this all by his
    lonesome.  The different households makes me thinkt that people
    probably are unaware that their computers are trying to break in to
    other machines.  If that is correct, we may have a "new" trojan horse
    around.
    
    After I reported the incidents to the police, I have had eight more
    identical upload attempts.  Summing up, this gives us a total of 12
    attempts from 2001-01-18 to 2001-05-03.  Every single attempt comes
    from the IP address range of my own ISP.
    
    Yesterday I received a mail from a person who has experienced similar
    behavior.  He reported upload attempts of the file pipes.scr, and all
    attempts originated from the same ISP as he uses (not the same as
    mine).  Hopefully he (and anyone else experiencing the same) will give
    us some more details here.
    
    
    Sverre.
    
    -- 
    <URL:mailto:shhat_private>
    <URL:http://shh.thathost.com/>
    



    This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 09:12:12 PDT