honeypot

Like everyone else, when I check my firewall logs I see huge numbers of
attempts to connect to me... unsuccessfully, as I run no services on
this machine. Even so, I am irritated by this. Most of the attempts are
on port 139..just kiddies looking to see if I am sharing anything ,I
guess. Most ISPs are not interested in receiving complaints about this.
I have seen the idea of a "honyepot", where one actually runs a service,
so as to collect more information about the intruder. Also suggested is
a booby-trap, whereby any attempt to make use of the fake "service"
results in unfortunate consequences... though I am not in favour of
leaving viruses lying around, as they can only spread. ( The fact that
the intruder may deserve to have his disks wiped in unfortunately
irrelevant). Comments on what is legally/morally/technically possible
would be welcome.

Re: honeypot

On Tue, 04 Apr 2006 13:33:36 +0100, none wrote:

> I have seen the idea of a "honyepot", where one actually runs a service,
> so as to collect more information about the intruder. Also suggested is
> a booby-trap, whereby any attempt to make use of the fake "service"
> results in unfortunate consequences... though I am not in favour of
> leaving viruses lying around, as they can only spread. ( The fact that
> the intruder may deserve to have his disks wiped in unfortunately
> irrelevant). Comments on what is legally/morally/technically possible
> would be welcome.

Let's say some lawyer's system is a zombie.
It connects to your malicious honeypot.
Your software dinks up his system.
He then sues you for damages/pain and agony/.....

Forget about his system contacting your system.
Right or wrong, do you have the spare money to fight the lawsuite.

Let's pick another method. Because your system zapped one of his
zombie bots, chapped zombie master uses another bot to create fake ip
header, sends it to your system. Your system attacks ip address in
the fake header.

Now you realy are in the law's spotlight. Your system attacked a
system which did not contact your system.

Re: honeypot

Bit Twister wrote:
> On Tue, 04 Apr 2006 13:33:36 +0100, none wrote:
>
>
>>I have seen the idea of a "honyepot", where one actually runs a service,
>>so as to collect more information about the intruder. Also suggested is
>>a booby-trap, whereby any attempt to make use of the fake "service"
>>results in unfortunate consequences... though I am not in favour of
>>leaving viruses lying around, as they can only spread. ( The fact that
>>the intruder may deserve to have his disks wiped in unfortunately
>>irrelevant). Comments on what is legally/morally/technically possible
>>would be welcome.
>
>
> Let's say some lawyer's system is a zombie.
> It connects to your malicious honeypot.
> Your software dinks up his system.
> He then sues you for damages/pain and agony/.....
>
> Forget about his system contacting your system.
> Right or wrong, do you have the spare money to fight the lawsuite.
>
> Let's pick another method. Because your system zapped one of his
> zombie bots, chapped zombie master uses another bot to create fake ip
> header, sends it to your system. Your system attacks ip address in
> the fake header.
>
> Now you realy are in the law's spotlight. Your system attacked a
> system which did not contact your system.
>
this is pretty much what i thought would be the disadvantage of the
booby-trap system, which is one reason I have no wish to implement one.
Even if the machine is not a zombie, I have no wish to sink to the same
level as the bad guy (I hope I made it clear that even the attacker
*deserves* to have his disks trashed, this is not a good reason for
doing so.) Any ideas for what *can* be done if the abusers ISP is not
interested? My current policy is just to mutter obscenities, and ignore
them.

Re: honeypot

On Tue, 04 Apr 2006 15:16:43 +0100, none wrote:

> Any ideas for what *can* be done if the abusers ISP is not
> interested?

My solution is just use the firewall to block domain ranges and/or
active malware ports without logging.

That allows me to see new malware port hunting. For port numbers
http://www.dshield.org//port_report.php?port=
http://isc.sans.org/port_details.php?port=
http://lists.thedatalist.com/portlist/lookup.php?port=

I use whois ip_addy_here to get ip range values and to see if it is
worth blocking and/or reporting with logs. Universities and businesses
seem to care more so than ISPs.


You appear to be running Fedora Core. I am running Mandriva Linux with
the Shorewall firewall interface. Here is a copy of my blacklist which
drops with out logging.


48.0.0.0-48.255.255.255 # Prudential Securities Inc.
57.0.0.0-57.255.255.255 # SITA-Societe Internationale de Telecommunications Aeronautiques
58.0.0.0/8
60.0.0.0/2
61.128.0.0/10
64.37.192.0-64.37.255.255 # SAVVI-2
64.96.0.0-64.99.255.255 # Critical Path Inc.San Francisco CA
64.106.128.0-64.106.255.255 # DataPipe DP-EWR-NETWORK-3
66.10.0.0-66.10.255.255 # SBC Internet Services SBCIS-SIS80-1005
66.12.0.0-66.15.255.255 # GTE.net LLC VZN-DSL
66.19.0.0-66.19.255.255 # USLEC Corp.
66.28.0.0-66.28.255.255 # Cogent Communications
66.30.48.0-66.30.191.255 # Comcast Cable Communications Holdings, Inc
66.31.0.0-66.31.255.255 # Comcast Cable Communications Holdings, Inc
66.32.0.0-66.32.255.255 # EarthLink Network, Inc.
66.45.192.0-66.45.223.255 # Northwest Telephone NWTI
66.47.0.0-66.47.255.255 # EARTHLINK-2-SDSL
66.59.224.0-66.59.255.255 # LINKLINE-2BLK
66.60.128.0-66.60.191.255 # SUREWEST-INTERNET Roseville CA
66.71.128.0-66.71.191.255 # Network Application Services, Inc.
66.72.0.0-66.73.255.255 # SBC Internet Services SBCIS-SIS80
66.86.0.0-66.86.255.255 # Qwest Broadband Services Inc. Denver CO
66.88.0.0-66.89.255.255 # XO Communications Reston VA
66.104.0.0-66.107.255.255 # XO Communications Reston VA
66.110.224.0-66.110.255.255 # North State Telephone Co High Point NC
66.112.0.0-66.112.127.255 # CenturyTel Internet Holdings, Inc Monroe LA
66.117.0.0-66.117.255.255 # UNKNOWN
66.118.128.0-66.118.191.255 # Sago Networks Tampa FL
66.120.0.0-66.127.255.255 # SBC Internet Services SBCIS-SIS80
66.130.0.0-66.131.255.255 # Le Groupe Videotron Ltee VL-9BL
66.134.0.0-66.134.255.255 # Covad Communications Co. San Jose CA
66.136.0.0-66.143.255.255 # SBC Internet Services SBCIS-SIS80
66.144.0.0-66.145.255.255 # State of Ohio Network Columbus OH
66.150.0.0-66.151.255.255 # Internap Network Services Atlanta GA
66.159.192.0-66.159.255.255 # DSL Extreme
66.161.128.0-66.161.255.255 # Fuse Internet Access
66.170.0.0-66.170.31.255 # SupraNet Communications, Inc. Madison Wi
66.178.0.0-66.178.127.255 # New Skies Satellites N.V.
66.179.0.0-66.179.255.255 # Inflow NFLO-AR-3
66.202.128.0-66.202.191.255 # Regus Business Centers Purchase NY
66.202.192.0-66.202.255.255 # Davenport University
66.209.160.0-66.209.175.255 # Kentucky Educational Computing Network
66.212.96.0-66.212.127.255 # I. T. Partners, Inc.
66.214.0.0-66.215.255.255 # Charter Communications CHARWR-02
66.231.0.0-66.231.255.255 # UNKNOWN
66.233.0.0-66.233.255.255 # UNKNOWN
66.236.0.0-66.239.255.255 # XOX1-BLK-2
67.43.224.0-67.43.239.255 # GloboTech Communications
70.144.0.0-70.159.255.255 # BellSouth.net Inc.
71.240.0.0-71.255.255.255 # Verizon Internet Services Inc.
82.52.0.0-82.55.255.255 # Telecom Italia S.p.A. TIN EASY LITE
87.64.0.0-87.67.255.255 # Belgacom Skynet
90.0.0.0-90.255.255.255 # RIPE Network Coordination Centre
92.0.0.0-95.255.255.255 # Internet Assigned Numbers Authority
124.0.0.0/6
126.0.0.0/8
159.226.0.0-159.226.255.255 # imported inetnum object for CNCCAS
172.128.0.0/10 # America Online (AOL)
175.0.0.0-175.255.255.255
177.0.0.0-177.255.255.255 # Internet Assigned Numbers Authority
196.23.0.0-196.26.255.255 # African Network Information Center
200.0.0.0/6
204.16.208.0-204.16.211.255 # FAST COLOCATION SERVICES Wasilla AK
206.22.0.0-206.22.255.255 # Automatic Data Processing Itasca IL
206.97.32.0-206.99.119.255 # Savvis Cary NC
206.154.56.0-206.157.255.255 # Savvis
210.0.0.0/7
218.0.0.0/7
220.0.0.0/6
221.208.0.0/14 # CNCGROUP Heilongjiang Province Network


0.0.0.0/0 udp 1025:1035
0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
0.0.0.0/0 tcp 4899 # Remote Administrator port
0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
0.0.0.0/0 tcp 42 # Host Name Server
0.0.0.0/0 tcp 111 # SUN Remote Procedure Call Ramen worm expoit
0.0.0.0/0 tcp 106 # 3COM-TSMUX
0.0.0.0/0 tcp 143 # Internet Message Access Protocol
0.0.0.0/0 tcp 515 # spooler Ramen worm expoit
0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
0.0.0.0/0 tcp 2745 # W32/Bagle.j@MM Virus backdoor
0.0.0.0/0 tcp 3127 # ctx-bridge, W32/MyDoom, W32.Novarg.A backdoor
0.0.0.0/0 tcp 3306 # MySQL
0.0.0.0/0 tcp 3389 # MS WBT Server
0.0.0.0/0 tcp 3410 # Backdoor.OptixPro.12
0.0.0.0/0 tcp 4000 # Skydance, Connect-BackBackdoor
0.0.0.0/0 tcp 5110 # Turkish trojan ProRat
0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
0.0.0.0/0 udp 5631 # pcANYWHEREdata
0.0.0.0/0 tcp 5800 # vnc
0.0.0.0/0 tcp 6129 # Dameware Remote Admin
0.0.0.0/0 tcp 6348 # Gnutella works on this port too
0.0.0.0/0 udp 6348 # Gnutella works on this port too
0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
0.0.0.0/0 udp 9200 # WAP connectionless session servic
0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
0.0.0.0/0 tcp 27374 # Bad Blood, SubSeven , SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8
0.0.0.0/0 udp 33436 #
0.0.0.0/0 udp 33437 #
0.0.0.0/0 udp 33440 #
0.0.0.0/0 udp 33436 #
0.0.0.0/0 tcp 32773 # Sometimes an RPC port on Solaris box (rquotad)
0.0.0.0/0 tcp 11768 # DIPNET trojan/backdoor
0.0.0.0/0 tcp 15118 #
0.0.0.0/0 tcp 17300 # Kuang2 the virus

Re: honeypot

none <""mike\"@(none)"> wrote:
> Like everyone else, when I check my firewall logs I see huge numbers of
> attempts to connect to me... unsuccessfully, as I run no services on
> this machine. Even so, I am irritated by this. Most of the attempts are
> on port 139.

Very likely these are automated attacks.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain