Security Incidents mailing list archives
Re: Upload of "pipes.scr" attempted to NetBus "honeypot"
From: Dennis McHenry <ronmch () comports com>
Date: Wed, 24 Jan 2001 19:42:28 -0800
Pipes.SCR is just a stock Windows screensaver. It's an executable-type file; possible to embed a virus or trojan in it. I hardly ever see it being used anymore (as the screen saver). It's one of several that comes with Win 9x. If it's a trojan, the author likes the long shots. First to find a system that's vulnerable to whatever exploit they're using, then to get it onto a system where Pipes is the active screensaver. I don't know how it'd drop into the correct directory, either. It didn't seem like they were trying to get it into the Windows directory (where it's installed by default). Some virus, maybe? -DMc ----- Original Message ----- From: "Sverre H. Huseby" <shh () THATHOST COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, January 24, 2001 11:31 AM Subject: Upload of "pipes.scr" attempted to NetBus "honeypot"
Last week I wrote a simple daemon that accepts incoming connections to TCP port 12345, and announces itself as "NetBus 1.60". The program simply logs the first command sent by the client, and attempts to send a warning message to the bad guy in the other end. Unfortunately, I don't know the NetBus protocol, so I'm unable to simulate a real NetBus server. The last six days I've had three connections to my daemon when online using my dialup ISDN connection. All three comes from the same ISP as I connect to. What follows are the relevant log lines (Norwegian times): 2001-01-18 15:24:34 server running on 130.67.238.181:12345 2001-01-18 16:00:25 [130.67.238.126:3388] accepted connection 2001-01-18 16:00:25 [130.67.238.126:3388] "UploadFile;pipes.scr;10000;\" 2001-01-18 16:00:26 [130.67.238.126:3388] client disconnected 2001-01-18 22:31:40 server running on 130.67.123.106:12345 2001-01-18 23:13:00 [130.67.123.85:1448] accepted connection 2001-01-18 23:13:01 [130.67.123.85:1448] "UploadFile;pipes.scr;10000;\" 2001-01-18 23:13:01 [130.67.123.85:1448] warning message sendt 2001-01-18 23:13:01 [130.67.123.85:1448] client disconnected 2001-01-24 20:04:11 server running on 130.67.215.213:12345 2001-01-24 20:04:30 [130.67.215.250:1205] accepted connection 2001-01-24 20:04:30 [130.67.215.250:1205] "UploadFile;pipes.scr;10000;\" 2001-01-24 20:04:30 [130.67.215.250:1205] warning message sendt 2001-01-24 20:04:33 [130.67.215.250:1205] client disconnected The ISP issues addresses dynamically, so I have no idea whether the connections are from the same person. Also, the ISP does not give out information to people like me, they merely send a warning to the bad guy. At least that's their standard reply to complaints like this. Ok, what I see is what seems to be three attempts on uploading a file called "pipes.scr" to my computer. I do not know NetBus at all, so I don't know if the almost immediate upload attempt after connecting (see time stamps) is normal NetBus behavior, or if it indicates some kind of a script. If the NetBus client is running a script, it _may_ be that the owner of the misbehaving computer is unaware of what is going on. Again, I'we never run NetBus myself, so I'm not the right person to speculate. Has anyone else seen similar attempts? Any idea what that "pipes.scr" may be (except a fancy screen saver)? Sverre. PS: If you happen to know the protocol of NetBus or SubSeven (the two trojans I see most scans for at my computer), could you please e-mail me the details? -- <URL:mailto:shh () thathost com> <URL:http://shh.thathost.com/>
Current thread:
- Upload of "pipes.scr" attempted to NetBus "honeypot" Sverre H. Huseby (Jan 24)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Edward Vielmetti (Jan 24)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Dennis McHenry (Jan 25)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Sverre H. Huseby (Jan 25)
- <Possible follow-ups>
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Brooke, O'neil (EXP) (Jan 25)