Security Incidents mailing list archives
Re: Upload of "pipes.scr" attempted to NetBus "honeypot"
From: "Brooke, O'neil (EXP)" <o'neil.brooke () LMCO COM>
Date: Thu, 25 Jan 2001 13:21:22 -0500
Hello Sverre Setup another computer that you can play with and install netbus. Then you get to play with it all you like. I really doubt that the default action of the netbus client is to upload a file. (unless it is a trojaned version of the client and the person that created that client wants to setup a parallel trojan on every computer that the client accesses.) More than likely you are seeing an effort to setup a new trojan that the attacker has protected with a password. The first step would be to upload the new trojan. Then execute the new trojan. Once the new trojan is installed the old trojan will be removed. Now the attacker has control of the host and does not need to worry about others commandeering his machine. O'Neil. -----Original Message----- From: Sverre H. Huseby [mailto:shh () THATHOST COM] Sent: Wednesday, January 24, 2001 1:32 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Upload of "pipes.scr" attempted to NetBus "honeypot" Last week I wrote a simple daemon that accepts incoming connections to TCP port 12345, and announces itself as "NetBus 1.60". The program simply logs the first command sent by the client, and attempts to send a warning message to the bad guy in the other end. Unfortunately, I don't know the NetBus protocol, so I'm unable to simulate a real NetBus server. The last six days I've had three connections to my daemon when online using my dialup ISDN connection. All three comes from the same ISP as I connect to. What follows are the relevant log lines (Norwegian times): 2001-01-18 15:24:34 server running on 130.67.238.181:12345 2001-01-18 16:00:25 [130.67.238.126:3388] accepted connection 2001-01-18 16:00:25 [130.67.238.126:3388] "UploadFile;pipes.scr;10000;\" 2001-01-18 16:00:26 [130.67.238.126:3388] client disconnected 2001-01-18 22:31:40 server running on 130.67.123.106:12345 2001-01-18 23:13:00 [130.67.123.85:1448] accepted connection 2001-01-18 23:13:01 [130.67.123.85:1448] "UploadFile;pipes.scr;10000;\" 2001-01-18 23:13:01 [130.67.123.85:1448] warning message sendt 2001-01-18 23:13:01 [130.67.123.85:1448] client disconnected 2001-01-24 20:04:11 server running on 130.67.215.213:12345 2001-01-24 20:04:30 [130.67.215.250:1205] accepted connection 2001-01-24 20:04:30 [130.67.215.250:1205] "UploadFile;pipes.scr;10000;\" 2001-01-24 20:04:30 [130.67.215.250:1205] warning message sendt 2001-01-24 20:04:33 [130.67.215.250:1205] client disconnected The ISP issues addresses dynamically, so I have no idea whether the connections are from the same person. Also, the ISP does not give out information to people like me, they merely send a warning to the bad guy. At least that's their standard reply to complaints like this. Ok, what I see is what seems to be three attempts on uploading a file called "pipes.scr" to my computer. I do not know NetBus at all, so I don't know if the almost immediate upload attempt after connecting (see time stamps) is normal NetBus behavior, or if it indicates some kind of a script. If the NetBus client is running a script, it _may_ be that the owner of the misbehaving computer is unaware of what is going on. Again, I'we never run NetBus myself, so I'm not the right person to speculate. Has anyone else seen similar attempts? Any idea what that "pipes.scr" may be (except a fancy screen saver)? Sverre. PS: If you happen to know the protocol of NetBus or SubSeven (the two trojans I see most scans for at my computer), could you please e-mail me the details? -- <URL:mailto:shh () thathost com> <URL:http://shh.thathost.com/>
Current thread:
- Upload of "pipes.scr" attempted to NetBus "honeypot" Sverre H. Huseby (Jan 24)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Edward Vielmetti (Jan 24)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Dennis McHenry (Jan 25)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Sverre H. Huseby (Jan 25)
- <Possible follow-ups>
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Brooke, O'neil (EXP) (Jan 25)