"Jon R. Kibler" wrote: > > We have observed some curious behavior regarding what appears to be worm probes on port 80. We would be interested in anyone's thoughts as to what may be occurring and why. > > We have a system with a public IP that is running Sun Solaris 2.x O/S. This system does not have a web server. Rather, we have a honey pot that sits on port 80. Port 80 is controlled by inetd. When someone attempts to connect to port 80, inetd starts the honey pot. The honey pot just tries to read from port 80 until it times out. Upon time-out, it may send the connecting system a 'go away' message and drop the connection, or simply drop the connection. > > Whenever port 80 is probed by spiders, most sniffers, and all the worms we have seen up through and including the original Code Red worm, the honey pot would receive and record whatever payload was being sent by the remote system. Starting with the presumed variants of Code Red, and what we presume is Nimda (that is, groups of 16 sequential port 80 probes) we have not been receiving any payloads from remote systems. The old read time-out was set for 5 seconds, but we have run it up as high as 15 minutes and we still do not receive anything during that time from any of these new 'worms.' Is it a possibility that the probes you're seeing there are Nimba-infected machines that happen to suffer the effects of one of the "Nimba-Killer" redirects from another probed host. I'm thinking the possibility exists that the probing machine hits your honeypot and around the same time it hits a machine that gives it one of the Nimba-Killer redirects, which either swamps the probing machine (redirecting to 127.0.0.1) or shuts it down (sending a command to exit Windows). I haven't studied Nimba's behavior in detail, or the behavior of the redirects, so I don't know how likely it is, but might me something to consider... --Rich _________________________________________________________ Rich Puhek ETN Systems Inc. _________________________________________________________ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:10:19 PDT