Security Incidents mailing list archives

Re: "Worm" behavior -- port 80 honey pots

From: Rich Puhek <rpuhek () etnsystems com>
Date: Mon, 15 Oct 2001 15:57:14 -0500



"Jon R. Kibler" wrote:


We have observed some curious behavior regarding what appears to be worm probes on port 80. We would be interested in 
anyone's thoughts as to what may be occurring and why.

We have a system with a public IP that is running Sun Solaris 2.x O/S. This system does not have a web server. 
Rather, we have a honey pot that sits on port 80. Port 80 is controlled by inetd. When someone attempts to connect to 
port 80, inetd starts the honey pot. The honey pot just tries to read from port 80 until it times out. Upon time-out, 
it may send the connecting system a 'go away' message and drop the connection, or simply drop the connection.

Whenever port 80 is probed by spiders, most sniffers, and all the worms we have seen up through and including the 
original Code Red worm, the honey pot would receive and record whatever payload was being sent by the remote system. 
Starting with the presumed variants of Code Red, and what we presume is Nimda (that is, groups of 16 sequential port 
80 probes) we have not been receiving any payloads from remote systems. The old read time-out was set for 5 seconds, 
but we have run it up as high as 15 minutes and we still do not receive anything during that time from any of these 
new 'worms.'



Is it a possibility that the probes you're seeing there are
Nimba-infected machines that happen to suffer the effects of one of the
"Nimba-Killer" redirects from another probed host. I'm thinking the
possibility exists that the probing machine hits your honeypot and
around the same time it hits a machine that gives it one of the
Nimba-Killer redirects, which either swamps the probing machine
(redirecting to 127.0.0.1) or shuts it down (sending a command to exit
Windows).

I haven't studied Nimba's behavior in detail, or the behavior of the
redirects, so I don't know how likely it is, but might me something to
consider...

--Rich


_________________________________________________________
                         
Rich Puhek               
ETN Systems Inc.         
_________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

"Worm" behavior -- port 80 honey pots Jon R. Kibler (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Rich Puhek (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Ryan Russell (Oct 15)
  - Re: "Worm" behavior -- port 80 honey pots Alexander Bochmann (Oct 22)