Honeypots mailing list archives

Simplistic NetCat Honeypot Find

From: "Chris Mawer" <chris_mawer () hotmail com>
Date: Wed, 18 Dec 2002 13:08:44 +0000

List,

Ive spent the last 24 hours collecting data from a netcat listener runningon port 80 (HTTP). The listener doesnt fire back any data, just waits forconnects, logs what data is sent then closes the connection and resumeslistening on 80.


C:\Documents and Settings\Administrator\Desktop>nc -L -p 80 -vv
listening on [any] 80 ...
(Command used to start the listener)

A slightly bewildering find has been that about 4 requests over the 24 hourperiod (unfortunately, netcat doesnt timestamp connections) are as below:

connect to [**LOCAL_IP_OBSCURED**] from dialin-145-254-150-182.arcor-ip.net[145.254.150.182

] 1964
GET http://www.s3.com/ HTTP/1.1
Host: www.s3.com
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)

sent 0, rcvd 145
listening on [62.7.137.21] 80 ...

Instead of requesting a document of some form, index.html, index.htm, oreven some of the more common IIS vulnerabilities exloited by masspropagation worms (ie directory traversal and MDACS exploits etc), this userhas requested an url of http://www.s3.com. How does this work? I would haveimagined the attacker would want an anoymous relay to relay the contents ofwww.s3.com to him. However, how would this work? My box connect to said siteand then said site send to me and I relay to attacker? Arent we getting intoNAT and Internet Connection Sharing here?

This happened a few times and the attacker IP never changed, although minechanged every 2 hours due to standard 56k modem account restrictions.

Something else interesting, whats the bets that this was an automated toolof some kind? I imagine very few hackers are still using Windows 95 and IE4.01. Is this an indication of say a distributed DOS attack againstwww.s3.com, whereby a zillion HTTP requests are fired at their servers allat once?


Any thoughts much apreciated,

Chris Mawer
http://www.chrismawer.netfirms.com

_________________________________________________________________

Add photos to your messages with MSN 8. Get 2 months FREE*.http://join.msn.com/?page=features/featuredemail

Current thread:

Simplistic NetCat Honeypot Find Chris Mawer (Dec 18)
- <Possible follow-ups>
- RE: Simplistic NetCat Honeypot Find Hudak, Tyler (Dec 18)
  - Re: Simplistic NetCat Honeypot Find Chris Reining (Dec 18)