Re: "Worm" behavior -- port 80 honey pots

From: Rich Puhek (rpuhekat_private)
Date: Mon Oct 15 2001 - 13:57:14 PDT

Next message: Ryan Russell: "Re: "Worm" behavior -- port 80 honey pots"

Previous message: Jon R. Kibler: ""Worm" behavior -- port 80 honey pots"
In reply to: Jon R. Kibler: ""Worm" behavior -- port 80 honey pots"
Next in thread: Ryan Russell: "Re: "Worm" behavior -- port 80 honey pots"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Jon R. Kibler" wrote:
> 
> We have observed some curious behavior regarding what appears to be worm probes on port 80. We would be interested in anyone's thoughts as to what may be occurring and why.
> 
> We have a system with a public IP that is running Sun Solaris 2.x O/S. This system does not have a web server. Rather, we have a honey pot that sits on port 80. Port 80 is controlled by inetd. When someone attempts to connect to port 80, inetd starts the honey pot. The honey pot just tries to read from port 80 until it times out. Upon time-out, it may send the connecting system a 'go away' message and drop the connection, or simply drop the connection.
> 
> Whenever port 80 is probed by spiders, most sniffers, and all the worms we have seen up through and including the original Code Red worm, the honey pot would receive and record whatever payload was being sent by the remote system. Starting with the presumed variants of Code Red, and what we presume is Nimda (that is, groups of 16 sequential port 80 probes) we have not been receiving any payloads from remote systems. The old read time-out was set for 5 seconds, but we have run it up as high as 15 minutes and we still do not receive anything during that time from any of these new 'worms.'

Is it a possibility that the probes you're seeing there are
Nimba-infected machines that happen to suffer the effects of one of the
"Nimba-Killer" redirects from another probed host. I'm thinking the
possibility exists that the probing machine hits your honeypot and
around the same time it hits a machine that gives it one of the
Nimba-Killer redirects, which either swamps the probing machine
(redirecting to 127.0.0.1) or shuts it down (sending a command to exit
Windows).

I haven't studied Nimba's behavior in detail, or the behavior of the
redirects, so I don't know how likely it is, but might me something to
consider...

--Rich

_________________________________________________________

Rich Puhek               
ETN Systems Inc.         
_________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Russell: "Re: "Worm" behavior -- port 80 honey pots"
Previous message: Jon R. Kibler: ""Worm" behavior -- port 80 honey pots"
In reply to: Jon R. Kibler: ""Worm" behavior -- port 80 honey pots"
Next in thread: Ryan Russell: "Re: "Worm" behavior -- port 80 honey pots"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:10:19 PDT