RE: Upload of "pipes.scr" attempted to NetBus "honeypot"

From: Talley, Brooks (brooksat_private)
Date: Tue Jun 05 2001 - 10:27:05 PDT

Next message: Nate Carlson: "Re: rootkit entertainment"

Previous message: GiulioMaria Fontana: "Rootkit t0rn modified ?"
Next in thread: Hugo van der Kooij: "RE: Upload of "pipes.scr" attempted to NetBus "honeypot""
Reply: Hugo van der Kooij: "RE: Upload of "pipes.scr" attempted to NetBus "honeypot""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

pipes.scr is the 3d pipes screensaver on windows NT/2000.  It's a very
commonly used screensaver, so my guess is that whatever is doing the
uploading, it's sending a trojaned version of the pipes screensaver.
Perhaps that screensaver itself is what's doing the scanning and
attempted uploads.

It would be handy if you could extend your netbus simulator to accept
the upload and capture the presumably trojaned pipes.scr.

Cheers
-Brooks


> -----Original Message-----
> From: Sverre H. Huseby [mailto:shhat_private]
> Sent: Monday, June 04, 2001 1:07 PM
> To: INCIDENTSat_private
> Subject: Re: Upload of "pipes.scr" attempted to NetBus "honeypot"

> |   Ok, what I see is what seems to be three attempts on 
> |   uploading a file
> |   called "pipes.scr" to my computer.

Next message: Nate Carlson: "Re: rootkit entertainment"
Previous message: GiulioMaria Fontana: "Rootkit t0rn modified ?"
Next in thread: Hugo van der Kooij: "RE: Upload of "pipes.scr" attempted to NetBus "honeypot""
Reply: Hugo van der Kooij: "RE: Upload of "pipes.scr" attempted to NetBus "honeypot""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 14:12:48 PDT