Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

honeypots logo Honeypots mailing list archives

Simplistic NetCat Honeypot Find
From: "Chris Mawer" <chris_mawer () hotmail com>
Date: Wed, 18 Dec 2002 13:08:44 +0000
List,
Ive spent the last 24 hours collecting data from a netcat listener running on port 80 (HTTP). The listener doesnt fire back any data, just waits for connects, logs what data is sent then closes the connection and resumes listening on 80. 

C:\Documents and Settings\Administrator\Desktop>nc -L -p 80 -vv
listening on [any] 80 ...
(Command used to start the listener)
A slightly bewildering find has been that about 4 requests over the 24 hour period (unfortunately, netcat doesnt timestamp connections) are as below:
connect to [**LOCAL_IP_OBSCURED**] from dialin-145-254-150-182.arcor-ip.net [145.254.150.182 
] 1964
GET http://www.s3.com/ HTTP/1.1
Host: www.s3.com
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)

sent 0, rcvd 145
listening on [62.7.137.21] 80 ...
Instead of requesting a document of some form, index.html, index.htm, or even some of the more common IIS vulnerabilities exloited by mass propagation worms (ie directory traversal and MDACS exploits etc), this user has requested an url of http://www.s3.com. How does this work? I would have imagined the attacker would want an anoymous relay to relay the contents of www.s3.com to him. However, how would this work? My box connect to said site and then said site send to me and I relay to attacker? Arent we getting into NAT and Internet Connection Sharing here?
This happened a few times and the attacker IP never changed, although mine changed every 2 hours due to standard 56k modem account restrictions.
Something else interesting, whats the bets that this was an automated tool of some kind? I imagine very few hackers are still using Windows 95 and IE 4.01. Is this an indication of say a distributed DOS attack against www.s3.com, whereby a zillion HTTP requests are fired at their servers all at once? 

Any thoughts much apreciated,

Chris Mawer
http://www.chrismawer.netfirms.com

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]