Re: Upload of "pipes.scr" attempted to NetBus "honeypot"

[Edward Vielmetti <emv () EMPLOYEES ORG>]

There is a program called "Netbuster" that simulates a NetBus server and
lets the person running it send back bogus information to the connecting
client.  See http://surf.to/netbuster for details.  I can't vouch for its
quality or integrity, not having used it before, but it may help you in
your efforts to write your own code.

thanks

Ed

On Wed, 24 Jan 2001, Sverre H. Huseby wrote:

> Last week I wrote a simple daemon that accepts incoming connections to
> TCP port 12345, and announces itself as "NetBus 1.60".  The program
> simply logs the first command sent by the client, and attempts to send
> a warning message to the bad guy in the other end.  Unfortunately, I
> don't know the NetBus protocol, so I'm unable to simulate a real
> NetBus server.
>
> The last six days I've had three connections to my daemon when online
> using my dialup ISDN connection.  All three comes from the same ISP as
> I connect to.  What follows are the relevant log lines (Norwegian
> times):
>
> 2001-01-18 15:24:34  server running on 130.67.238.181:12345
> 2001-01-18 16:00:25  [130.67.238.126:3388]  accepted connection
> 2001-01-18 16:00:25  [130.67.238.126:3388]  "UploadFile;pipes.scr;10000;\"
> 2001-01-18 16:00:26  [130.67.238.126:3388]  client disconnected
>
> 2001-01-18 22:31:40  server running on 130.67.123.106:12345
> 2001-01-18 23:13:00  [130.67.123.85:1448]  accepted connection
> 2001-01-18 23:13:01  [130.67.123.85:1448]  "UploadFile;pipes.scr;10000;\"
> 2001-01-18 23:13:01  [130.67.123.85:1448]  warning message sendt
> 2001-01-18 23:13:01  [130.67.123.85:1448]  client disconnected
>
> 2001-01-24 20:04:11  server running on 130.67.215.213:12345
> 2001-01-24 20:04:30  [130.67.215.250:1205]  accepted connection
> 2001-01-24 20:04:30  [130.67.215.250:1205]  "UploadFile;pipes.scr;10000;\"
> 2001-01-24 20:04:30  [130.67.215.250:1205]  warning message sendt
> 2001-01-24 20:04:33  [130.67.215.250:1205]  client disconnected
>
> The ISP issues addresses dynamically, so I have no idea whether the
> connections are from the same person.  Also, the ISP does not give out
> information to people like me, they merely send a warning to the bad
> guy.  At least that's their standard reply to complaints like this.
>
> Ok, what I see is what seems to be three attempts on uploading a file
> called "pipes.scr" to my computer.  I do not know NetBus at all, so I
> don't know if the almost immediate upload attempt after connecting
> (see time stamps) is normal NetBus behavior, or if it indicates some
> kind of a script.  If the NetBus client is running a script, it _may_
> be that the owner of the misbehaving computer is unaware of what is
> going on.  Again, I'we never run NetBus myself, so I'm not the right
> person to speculate.
>
> Has anyone else seen similar attempts?  Any idea what that "pipes.scr"
> may be (except a fancy screen saver)?
>
>
> Sverre.
>
> PS: If you happen to know the protocol of NetBus or SubSeven (the two
>     trojans I see most scans for at my computer), could you please
>     e-mail me the details?
>
> --
> <URL:mailto:shh () thathost com>
> <URL:http://shh.thathost.com/>