Re: "Worm" behavior -- port 80 honey pots

From: Rich Puhek (rpuhekat_private)
Date: Mon Oct 15 2001 - 13:57:14 PDT

  • Next message: Ryan Russell: "Re: "Worm" behavior -- port 80 honey pots"

    "Jon R. Kibler" wrote:
    > 
    > We have observed some curious behavior regarding what appears to be worm probes on port 80. We would be interested in anyone's thoughts as to what may be occurring and why.
    > 
    > We have a system with a public IP that is running Sun Solaris 2.x O/S. This system does not have a web server. Rather, we have a honey pot that sits on port 80. Port 80 is controlled by inetd. When someone attempts to connect to port 80, inetd starts the honey pot. The honey pot just tries to read from port 80 until it times out. Upon time-out, it may send the connecting system a 'go away' message and drop the connection, or simply drop the connection.
    > 
    > Whenever port 80 is probed by spiders, most sniffers, and all the worms we have seen up through and including the original Code Red worm, the honey pot would receive and record whatever payload was being sent by the remote system. Starting with the presumed variants of Code Red, and what we presume is Nimda (that is, groups of 16 sequential port 80 probes) we have not been receiving any payloads from remote systems. The old read time-out was set for 5 seconds, but we have run it up as high as 15 minutes and we still do not receive anything during that time from any of these new 'worms.'
    
    
    Is it a possibility that the probes you're seeing there are
    Nimba-infected machines that happen to suffer the effects of one of the
    "Nimba-Killer" redirects from another probed host. I'm thinking the
    possibility exists that the probing machine hits your honeypot and
    around the same time it hits a machine that gives it one of the
    Nimba-Killer redirects, which either swamps the probing machine
    (redirecting to 127.0.0.1) or shuts it down (sending a command to exit
    Windows).
    
    I haven't studied Nimba's behavior in detail, or the behavior of the
    redirects, so I don't know how likely it is, but might me something to
    consider...
    
    --Rich
    
    
    _________________________________________________________
                             
    Rich Puhek               
    ETN Systems Inc.         
    _________________________________________________________
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:10:19 PDT