Y0. I've experienced quite the same phenomenon several weeks ago. Out of the blue a host from within my local ISP (which is I presume on a different continent than yours ;-) scanned me *exactly* every 62 minutes for NetBus backdoors, and attempted the 'pipes.scr' upload ritual. Immediately after I tried to send him any message he was disconnected in a much too fast and automatic way than I would expect a person to respond. This whole ceremony lasted several hours, I contacted the abuse staff of my ISP, but 'till now I heard nothing else. It must be some automatic script or somethin'. whether it was initiated from that specific host ot was it a compromised IP it's really impossible to tell. But, if you take the 60 minutes it took him to get back to my IP, and assume a 56K dial-up connection the attacker used (which is still the most common here) I think you can tell what range of IPs he scanned, assuming he listened for the responds. Your call. centipede. centipede. Sverre H. Huseby wrote: > [ This is a repost: I didn't find this message in the archives, so I > suspect it disappeared during your mail trouble some time back. Of > course it may have been moderated away, in that case please excuse > me for bothering you again. :) ] > > This is a follow up to a message sent by me on 2001-01-24. As it has > been a long time, I quote most of the original message: > > | Last week I wrote a simple daemon that accepts incoming connections to > | TCP port 12345, and announces itself as "NetBus 1.60". The program > | simply logs the first command sent by the client, and attempts to send > | a warning message to the bad guy in the other end. [...] > | > | The last six days I've had three connections to my daemon when online > | using my dialup ISDN connection. All three comes from the same ISP as > | I connect to. What follows are the relevant log lines (Norwegian > | times): > | > | 2001-01-18 15:24:34 server running on 130.67.238.181:12345 > | 2001-01-18 16:00:25 [130.67.238.126:3388] accepted connection > | 2001-01-18 16:00:25 [130.67.238.126:3388] "UploadFile;pipes.scr;10000;\" > | 2001-01-18 16:00:26 [130.67.238.126:3388] client disconnected > | > | 2001-01-18 22:31:40 server running on 130.67.123.106:12345 > | 2001-01-18 23:13:00 [130.67.123.85:1448] accepted connection > | 2001-01-18 23:13:01 [130.67.123.85:1448] "UploadFile;pipes.scr;10000;\" > | 2001-01-18 23:13:01 [130.67.123.85:1448] warning message sendt > | 2001-01-18 23:13:01 [130.67.123.85:1448] client disconnected > | > | 2001-01-24 20:04:11 server running on 130.67.215.213:12345 > | 2001-01-24 20:04:30 [130.67.215.250:1205] accepted connection > | 2001-01-24 20:04:30 [130.67.215.250:1205] "UploadFile;pipes.scr;10000;\" > | 2001-01-24 20:04:30 [130.67.215.250:1205] warning message sendt > | 2001-01-24 20:04:33 [130.67.215.250:1205] client disconnected > | > | The ISP issues addresses dynamically, so I have no idea whether the > | connections are from the same person. [...] > | > | Ok, what I see is what seems to be three attempts on uploading a file > | called "pipes.scr" to my computer. I do not know NetBus at all, so I > | don't know if the almost immediate upload attempt after connecting > | (see time stamps) is normal NetBus behavior, or if it indicates some > | kind of a script. If the NetBus client is running a script, it _may_ > | be that the owner of the misbehaving computer is unaware of what is > | going on. [...] > > I reported the first four incidents as computer crime to the local > police. After several weeks, a nice investigator called me and told > me approximately that "the upload attempts come from all over the > country, and from different kinds of households (kids, no kids, etc.)". > > It is at least not a single person who is doing this all by his > lonesome. The different households makes me thinkt that people > probably are unaware that their computers are trying to break in to > other machines. If that is correct, we may have a "new" trojan horse > around. > > After I reported the incidents to the police, I have had eight more > identical upload attempts. Summing up, this gives us a total of 12 > attempts from 2001-01-18 to 2001-05-03. Every single attempt comes > from the IP address range of my own ISP. > > Yesterday I received a mail from a person who has experienced similar > behavior. He reported upload attempts of the file pipes.scr, and all > attempts originated from the same ISP as he uses (not the same as > mine). Hopefully he (and anyone else experiencing the same) will give > us some more details here. > > > Sverre. >
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 12:17:24 PDT