Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Like everyone else, when I check my firewall logs I see huge numbers of
attempts to connect to me... unsuccessfully, as I run no services on
this machine. Even so, I am irritated by this. Most of the attempts are
on port 139..just kiddies looking to see if I am sharing anything ,I
guess. Most ISPs are not interested in receiving complaints about this.
I have seen the idea of a "honyepot", where one actually runs a service,
so as to collect more information about the intruder. Also suggested is
a booby-trap, whereby any attempt to make use of the fake "service"
results in unfortunate consequences... though I am not in favour of
leaving viruses lying around, as they can only spread. ( The fact that
the intruder may deserve to have his disks wiped in unfortunately
irrelevant). Comments on what is legally/morally/technically possible
would be welcome.

Re: honeypot

On Tue, 04 Apr 2006 13:33:36 +0100, none wrote:

Quoted text here. Click to load it

Let's say some lawyer's system is a zombie.
It connects to your malicious honeypot.
Your software dinks up his system.
He then sues you for damages/pain and agony/.....

Forget about his system contacting your system.
Right or wrong, do you have the spare money to fight the lawsuite.

Let's pick another method. Because your system zapped one of his
zombie bots, chapped zombie master uses another bot to create fake ip
header, sends it to your system. Your system attacks ip address in
the fake header.

Now you realy are in the law's spotlight. Your system attacked a
system which did not contact your system.

Re: honeypot

Bit Twister wrote:
Quoted text here. Click to load it
this is pretty much what i thought would be the disadvantage of the
booby-trap system, which is one reason I have no wish to implement one.
Even if the machine is not a zombie, I have no wish to sink to the same
level as the bad guy (I hope I made it clear that even the attacker
*deserves* to have his disks trashed, this is not a good reason for
doing so.) Any ideas for what *can* be done if the abusers ISP is not
interested? My current policy is just to mutter obscenities, and ignore

Re: honeypot

On Tue, 04 Apr 2006 15:16:43 +0100, none wrote:

Quoted text here. Click to load it

My solution is just use the firewall to block domain ranges and/or
active malware ports without logging.

That allows me to see new malware port hunting. For port numbers
http://www.dshield.org//port_report.php?port =
http://isc.sans.org/port_details.php?port =
http://lists.thedatalist.com/portlist/lookup.php?port =

I use   whois ip_addy_here   to get ip range values and to see if it is
worth blocking and/or reporting with logs. Universities and businesses
seem to care more so than ISPs.

You appear to be running Fedora Core. I am running Mandriva Linux with
the Shorewall firewall interface. Here is a copy of my blacklist which
drops with out logging.         # Prudential Securities Inc.         # SITA-Societe Internationale de
Telecommunications Aeronautiques       # SAVVI-2         # Critical Path Inc.San Francisco CA     # DataPipe DP-EWR-NETWORK-3         # SBC Internet Services SBCIS-SIS80-1005         # GTE.net LLC VZN-DSL         # USLEC Corp.         # Cogent Communications        # Comcast Cable Communications Holdings, Inc         # Comcast Cable Communications Holdings, Inc         # EarthLink Network, Inc.       # Northwest Telephone NWTI         # EARTHLINK-2-SDSL       # LINKLINE-2BLK       # SUREWEST-INTERNET Roseville CA       # Network Application Services, Inc.         # SBC Internet Services SBCIS-SIS80         # Qwest Broadband Services Inc. Denver CO         # XO Communications Reston VA       # XO Communications Reston VA     # North State Telephone Co  High Point NC       # CenturyTel Internet Holdings, Inc Monroe LA       # UNKNOWN     # Sago Networks Tampa FL       # SBC Internet Services SBCIS-SIS80       # Le Groupe Videotron Ltee VL-9BL       # Covad Communications Co. San Jose CA       # SBC Internet Services SBCIS-SIS80       # State of Ohio Network Columbus OH       # Internap Network Services Atlanta GA     # DSL Extreme     # Fuse Internet Access        # SupraNet Communications, Inc. Madison Wi       # New Skies Satellites N.V.       # Inflow NFLO-AR-3     # Regus Business Centers Purchase NY     # Davenport University     # Kentucky Educational Computing Network      # I. T. Partners, Inc.       # Charter Communications CHARWR-02       # UNKNOWN       # UNKNOWN       # XOX1-BLK-2       # GloboTech Communications       # BellSouth.net Inc.       # Verizon Internet Services Inc.         # Telecom Italia S.p.A. TIN EASY LITE         # Belgacom Skynet         # RIPE Network Coordination Centre         # Internet Assigned Numbers Authority     # imported inetnum object for CNCCAS                  # America Online (AOL)       # Internet Assigned Numbers Authority       # African Network Information Center     # FAST COLOCATION SERVICES Wasilla AK       # Automatic Data Processing Itasca IL      # Savvis Cary NC    # Savvis                  # CNCGROUP Heilongjiang Province Network       udp     1025:1035       tcp     80      # AckCmd, Back End, CGI Backdoor, Executor,
Hooker, RingZero       tcp     8080    # Brown Orifice , RemoConChubo, RingZero       tcp     21:25   # ftp, ssh, Telnet, any private mail system, smtp       tcp     4899    # Remote Administrator port       tcp     5900    # vnc Virtual Network Computer       tcp     42      # Host Name Server       tcp     111     # SUN Remote Procedure Call   Ramen worm expoit       tcp     106     # 3COM-TSMUX       tcp     143     # Internet Message Access Protocol       tcp     515     # spooler   Ramen worm expoit       tcp     10000   # Network Data Management Protocol (webmint)       udp     1434    # Microsoft-SQL-Monitor       tcp     1433    # Microsoft-SQL-Server       tcp     2745    # W32/Bagle.j@MM Virus backdoor       tcp     3127    # ctx-bridge, W32/MyDoom, W32.Novarg.A backdoor       tcp     3306    # MySQL       tcp     3389    # MS WBT Server       tcp     3410    # Backdoor.OptixPro.12       tcp     4000    # Skydance, Connect-BackBackdoor       tcp     5110    # Turkish trojan ProRat       tcp     5554    # Sasser trojan/worm ftp server       udp     5631    # pcANYWHEREdata       tcp     5800    # vnc       tcp     6129    # Dameware Remote Admin       tcp     6348    # Gnutella works on this port too       udp     6348    # Gnutella works on this port too       tcp     9898    # dabber, MonkeyCom       udp     9200    # WAP connectionless session servic       tcp     2100    # Amiga Network Filesystem       tcp     27374   # Bad Blood, SubSeven , SubSeven 2.1 Gold,
Subseven 2.1.4 DefCon 8       udp     33436   #       udp     33437   #       udp     33440   #       udp     33436   #       tcp     32773   # Sometimes an RPC port on Solaris box (rquotad)       tcp     11768   # DIPNET trojan/backdoor       tcp     15118   #       tcp     17300   # Kuang2 the virus

Re: honeypot

Quoted text here. Click to load it

Very likely these are automated attacks.

At first there was the word. And the word was Content-type: text/plain

Site Timeline