[ This is a repost: I didn't find this message in the archives, so I suspect it disappeared during your mail trouble some time back. Of course it may have been moderated away, in that case please excuse me for bothering you again. :) ] This is a follow up to a message sent by me on 2001-01-24. As it has been a long time, I quote most of the original message: | Last week I wrote a simple daemon that accepts incoming connections to | TCP port 12345, and announces itself as "NetBus 1.60". The program | simply logs the first command sent by the client, and attempts to send | a warning message to the bad guy in the other end. [...] | | The last six days I've had three connections to my daemon when online | using my dialup ISDN connection. All three comes from the same ISP as | I connect to. What follows are the relevant log lines (Norwegian | times): | | 2001-01-18 15:24:34 server running on 130.67.238.181:12345 | 2001-01-18 16:00:25 [130.67.238.126:3388] accepted connection | 2001-01-18 16:00:25 [130.67.238.126:3388] "UploadFile;pipes.scr;10000;\" | 2001-01-18 16:00:26 [130.67.238.126:3388] client disconnected | | 2001-01-18 22:31:40 server running on 130.67.123.106:12345 | 2001-01-18 23:13:00 [130.67.123.85:1448] accepted connection | 2001-01-18 23:13:01 [130.67.123.85:1448] "UploadFile;pipes.scr;10000;\" | 2001-01-18 23:13:01 [130.67.123.85:1448] warning message sendt | 2001-01-18 23:13:01 [130.67.123.85:1448] client disconnected | | 2001-01-24 20:04:11 server running on 130.67.215.213:12345 | 2001-01-24 20:04:30 [130.67.215.250:1205] accepted connection | 2001-01-24 20:04:30 [130.67.215.250:1205] "UploadFile;pipes.scr;10000;\" | 2001-01-24 20:04:30 [130.67.215.250:1205] warning message sendt | 2001-01-24 20:04:33 [130.67.215.250:1205] client disconnected | | The ISP issues addresses dynamically, so I have no idea whether the | connections are from the same person. [...] | | Ok, what I see is what seems to be three attempts on uploading a file | called "pipes.scr" to my computer. I do not know NetBus at all, so I | don't know if the almost immediate upload attempt after connecting | (see time stamps) is normal NetBus behavior, or if it indicates some | kind of a script. If the NetBus client is running a script, it _may_ | be that the owner of the misbehaving computer is unaware of what is | going on. [...] I reported the first four incidents as computer crime to the local police. After several weeks, a nice investigator called me and told me approximately that "the upload attempts come from all over the country, and from different kinds of households (kids, no kids, etc.)". It is at least not a single person who is doing this all by his lonesome. The different households makes me thinkt that people probably are unaware that their computers are trying to break in to other machines. If that is correct, we may have a "new" trojan horse around. After I reported the incidents to the police, I have had eight more identical upload attempts. Summing up, this gives us a total of 12 attempts from 2001-01-18 to 2001-05-03. Every single attempt comes from the IP address range of my own ISP. Yesterday I received a mail from a person who has experienced similar behavior. He reported upload attempts of the file pipes.scr, and all attempts originated from the same ISP as he uses (not the same as mine). Hopefully he (and anyone else experiencing the same) will give us some more details here. Sverre. -- <URL:mailto:shhat_private> <URL:http://shh.thathost.com/>
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 09:12:12 PDT