Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Annoy Those Sub7 Scanners.

From: H Carvey <keydet89 () YAHOO COM>
Date: Sun, 27 Aug 2000 08:09:08 -0700
What we need are more trojans like fakebo.


I wouldn't recommend any of the programs that open a
port, such as NukeNabber, FakeBO, or even a deception
toolkit.

What I've done is installed Win32-snort on my NT
system.  About once a week or so, I'll run a script
that will pull all of the snort alerts out of my
EventLog, and parse out the source IP addresses of the
various scans...mostly NetBIOS name queries, but often
Sub7 and the like.

Once that is done, the script can run nmapNT against
the system to ID open ports, fingerprint the os, etc.
Powerful tools like Perl allow all sorts of
flexibility with what you can do.  Now, I don't
advocate a full-out StrikeBack capability, a la Winn
Schwartau, but I have found that some of the scans
have come from folks w/ Win95 machines with
fully-shared C:\ drives.

Carv

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: