Re: "Worm" behavior -- port 80 honey pots

From: Alexander Bochmann (securityfocus-incidentsat_private)
Date: Mon Oct 22 2001 - 09:30:19 PDT

  • Next message: Fernando Cardoso: "RE: Scans for SSHd via RIPE netblocks, anyone?"

    ...on Mon, Oct 15, 2001 at 03:08:39PM -0600, Ryan Russell wrote:
    
     > >   1) Sometimes the honey pot will send an IDENT request to the remote
     > > system. At least one of the 'worms' in circulation recently will
     > > immediately drop the port 80 connection when the IDENT probe is sent
     > I used to have this problem with firewalled mail servers.  If one of the
     > mail servers was configured to do ident lookups, and there was a firewall
     > that just dropped ident attempts (no RST), then the mail servers would sit
     > around for 2-5 minutes until the ident TCP connect timed out.  Only then
     > would the mail connection deliver any data.  This could be related, and
    
    Don't think so; this is default behaviour with sendmail, at least.
    
    Sendmail has a configurable timeout for ident lookups, and will 
    wait for an answer until the timeout expires. Default from 
    sendmail distribution is 30 seconds, but possible some vendors 
    use a higher value. Don't know about other MTAs.
    
    Alex.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 10:19:26 PDT