Security Incidents mailing list archives

Re: Upload of "pipes.scr" attempted to NetBus "honeypot"


From: "Sverre H. Huseby" <shh () thathost com>
Date: Mon, 4 Jun 2001 22:06:53 +0200

[ This is a repost: I didn't find this message in the archives, so I
  suspect it disappeared during your mail trouble some time back.  Of
  course it may have been moderated away, in that case please excuse
  me for bothering you again. :) ]

This is a follow up to a message sent by me on 2001-01-24.  As it has
been a long time, I quote most of the original message:

|   Last week I wrote a simple daemon that accepts incoming connections to
|   TCP port 12345, and announces itself as "NetBus 1.60".  The program
|   simply logs the first command sent by the client, and attempts to send
|   a warning message to the bad guy in the other end.  [...]
|   
|   The last six days I've had three connections to my daemon when online
|   using my dialup ISDN connection.  All three comes from the same ISP as
|   I connect to.  What follows are the relevant log lines (Norwegian
|   times):
|   
|   2001-01-18 15:24:34  server running on 130.67.238.181:12345
|   2001-01-18 16:00:25  [130.67.238.126:3388]  accepted connection
|   2001-01-18 16:00:25  [130.67.238.126:3388]  "UploadFile;pipes.scr;10000;\"
|   2001-01-18 16:00:26  [130.67.238.126:3388]  client disconnected
|   
|   2001-01-18 22:31:40  server running on 130.67.123.106:12345
|   2001-01-18 23:13:00  [130.67.123.85:1448]  accepted connection
|   2001-01-18 23:13:01  [130.67.123.85:1448]  "UploadFile;pipes.scr;10000;\"
|   2001-01-18 23:13:01  [130.67.123.85:1448]  warning message sendt
|   2001-01-18 23:13:01  [130.67.123.85:1448]  client disconnected
|   
|   2001-01-24 20:04:11  server running on 130.67.215.213:12345
|   2001-01-24 20:04:30  [130.67.215.250:1205]  accepted connection
|   2001-01-24 20:04:30  [130.67.215.250:1205]  "UploadFile;pipes.scr;10000;\"
|   2001-01-24 20:04:30  [130.67.215.250:1205]  warning message sendt
|   2001-01-24 20:04:33  [130.67.215.250:1205]  client disconnected
|   
|   The ISP issues addresses dynamically, so I have no idea whether the
|   connections are from the same person.  [...]
|   
|   Ok, what I see is what seems to be three attempts on uploading a file
|   called "pipes.scr" to my computer.  I do not know NetBus at all, so I
|   don't know if the almost immediate upload attempt after connecting
|   (see time stamps) is normal NetBus behavior, or if it indicates some
|   kind of a script.  If the NetBus client is running a script, it _may_
|   be that the owner of the misbehaving computer is unaware of what is
|   going on.  [...]

I reported the first four incidents as computer crime to the local
police.  After several weeks, a nice investigator called me and told
me approximately that "the upload attempts come from all over the
country, and from different kinds of households (kids, no kids, etc.)".

It is at least not a single person who is doing this all by his
lonesome.  The different households makes me thinkt that people
probably are unaware that their computers are trying to break in to
other machines.  If that is correct, we may have a "new" trojan horse
around.

After I reported the incidents to the police, I have had eight more
identical upload attempts.  Summing up, this gives us a total of 12
attempts from 2001-01-18 to 2001-05-03.  Every single attempt comes
from the IP address range of my own ISP.

Yesterday I received a mail from a person who has experienced similar
behavior.  He reported upload attempts of the file pipes.scr, and all
attempts originated from the same ISP as he uses (not the same as
mine).  Hopefully he (and anyone else experiencing the same) will give
us some more details here.


Sverre.

-- 
<URL:mailto:shh () thathost com>
<URL:http://shh.thathost.com/>


Current thread: