Honeypots mailing list archives
Strange Browse attempts - Linux SMBD
From: "Beta3" <acidreign () beta3 no-ip com>
Date: Mon, 27 Jan 2003 20:07:08 +1000
Gday all. Not a frequent poster, but i find some interesting discussions here. Before I get to my question, I'll fill you in with some background information. The honeypot in question, is a i686 machine, running Gentoo Linux. Gentoo was chosen as they disclose security issues to a subscriber list. This allows me to easily keep up with what services are vunerable on the machine. It is located in Australia on a 2mb both ways DSL subscriber line, so it has adequate bandwidth. There are no compiler tools, not alot of hard drive space, and its rate limited with connections to/from via the upstream router. Many services are started, ftp/smb/http/https, and it appears to be running an e-commerce site (although its very fake, cant even login, intentionally false php scripts). I am continually getting some strange lines in my log files, such as Dec 18 15:23:31 hava1 smbd[4029]: alevrius_ (200.67.154.176) couldn't find service c and Jan 26 03:36:05 hava1 smbd[4029]: alevrius_ (209.131.250.83) couldn't find service c and Jan 26 03:51:01 hava1 smbd[4029]: localhost (218.47.73.5) couldn't find service c These attempted connections are in groups of three, and have been happening over a month. A quick search using google, does turn over some results, although nobody seems to have found a solution. One could assume that this is a automated script of some sought, but no resuts have been found. The first probe originated on Dec 12th 2002 from a cox cable account, and I am still getting these probes even today. I have found that they center around 3:30 till 6:30 EST, and originate mostly from the USA, with some attempts from central europe. Any ideas what this is ? Wade Mealing
Current thread:
- Strange Browse attempts - Linux SMBD Beta3 (Jan 27)
- Re: Strange Browse attempts - Linux SMBD Seth Arnold (Jan 28)