Honeypots mailing list archives
Honeyd simulation of irc?
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Fri, 23 Apr 2004 09:05:59 -0500
I've got a box that I think is infected with something. The AV software comes back clean, as does SpyBot, but when the system is on the network, it scans random addresses on the order of thousands of destinations per minute. The majority of these connection attempts fail due to our network security, so all we see are the TCP SYNs. In addition to the scanning, the box attempts to connect to two addresses when it first starts up and then again at intervals while online. We checked what these two were and it turns out the infected system is trying to connect to IRC, probably to get command-and-control stuff from a bot. So, I set up honeyd using the test.sh script to try to capture the data the infected system sends to the IRC servers. While it worked, in that the box did send data and interact a bit with the honeypot, it wasn't convincing enough for the infected system to actually do anything beyond log in. I looked around, hoping to find an existing script for honeyd to mimic an IRC server and found nothing. I did find out that its possible to run inetd services directly through honeyd and that there's a way to run ircd from inetd, but I'm having problems getting it to work. I'm able to get honeyd to establish the session, and the log indicates that its actually trying to spawn the ircd process, but the connection gets reset immediately. Has anyone got a honeyd config that will allow some IRC interaction? Can anyone tell me what I'm doing wrong with my honeyd config (listed below)? -------Start honeyd.conf----------- create template set template personality "Microsoft Windows XP Professional SP1" set template uptime 1728650 add template tcp port 80 "scripts/iis5.net/main.pl" add template tcp port 22 "sh scripts/test.sh $ipsrc $dport" add template tcp port 23 proxy $ipsrc:23 add template tcp port 25 "scripts/smtp.pl /usr/local/honeyd/log/sendmail" add template udp port 53 proxy 141.211.92.141:53 add template tcp port 6667 "/usr/local/ircd/ircd -n -x 3 -f /usr/local/ircd/ircd.conf" set template default tcp action reset bind 172.16.9.6 template -------End honeyd.conf------------- Thanks. Jon
Current thread:
- Honeyd simulation of irc? Williams Jon (Apr 23)