Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Honeyd simulation of irc?

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Fri, 23 Apr 2004 09:05:59 -0500
I've got a box that I think is infected with something.  The AV software
comes back clean, as does SpyBot, but when the system is on the network,
it scans random addresses on the order of thousands of destinations per
minute.  The majority of these connection attempts fail due to our
network security, so all we see are the TCP SYNs.  In addition to the
scanning, the box attempts to connect to two addresses when it first
starts up and then again at intervals while online.  We checked what
these two were and it turns out the infected system is trying to connect
to IRC, probably to get command-and-control stuff from a bot.

So, I set up honeyd using the test.sh script to try to capture the data
the infected system sends to the IRC servers.  While it worked, in that
the box did send data and interact a bit with the honeypot, it wasn't
convincing enough for the infected system to actually do anything beyond
log in.  I looked around, hoping to find an existing script for honeyd
to mimic an IRC server and found nothing.  I did find out that its
possible to run inetd services directly through honeyd and that there's
a way to run ircd from inetd, but I'm having problems getting it to
work.  I'm able to get honeyd to establish the session, and the log
indicates that its actually trying to spawn the ircd process, but the
connection gets reset immediately.

Has anyone got a honeyd config that will allow some IRC interaction?
Can anyone tell me what I'm doing wrong with my honeyd config (listed
below)?

-------Start honeyd.conf-----------
create template
set template personality "Microsoft Windows XP Professional SP1"
set template uptime 1728650
add template tcp port 80 "scripts/iis5.net/main.pl"
add template tcp port 22 "sh scripts/test.sh $ipsrc $dport"
add template tcp port 23 proxy $ipsrc:23
add template tcp port 25 "scripts/smtp.pl
/usr/local/honeyd/log/sendmail"
add template udp port 53 proxy 141.211.92.141:53
add template tcp port 6667 "/usr/local/ircd/ircd -n -x 3 -f
/usr/local/ircd/ircd.conf"
set template default tcp action reset

bind 172.16.9.6 template
-------End honeyd.conf-------------

Thanks.

Jon
Previous By Date Next
Previous By Thread Next

Current thread: