Re: "Worm" behavior -- port 80 honey pots

From: Alexander Bochmann (securityfocus-incidentsat_private)
Date: Mon Oct 22 2001 - 09:30:19 PDT

  • Next message: Fernando Cardoso: "RE: Scans for SSHd via RIPE netblocks, anyone?"

    ...on Mon, Oct 15, 2001 at 03:08:39PM -0600, Ryan Russell wrote:
     > >   1) Sometimes the honey pot will send an IDENT request to the remote
     > > system. At least one of the 'worms' in circulation recently will
     > > immediately drop the port 80 connection when the IDENT probe is sent
     > I used to have this problem with firewalled mail servers.  If one of the
     > mail servers was configured to do ident lookups, and there was a firewall
     > that just dropped ident attempts (no RST), then the mail servers would sit
     > around for 2-5 minutes until the ident TCP connect timed out.  Only then
     > would the mail connection deliver any data.  This could be related, and
    Don't think so; this is default behaviour with sendmail, at least.
    Sendmail has a configurable timeout for ident lookups, and will 
    wait for an answer until the timeout expires. Default from 
    sendmail distribution is 30 seconds, but possible some vendors 
    use a higher value. Don't know about other MTAs.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 10:19:26 PDT