The examples below are logs from a variety of access attempts - some real and some merely tests. Note that these use the compressed logfile format (you have the option of non-compressed log files at installation). The compressed format provides full informationon the first line and subsequent lines simply replace identical information with '-' to save space. For the time field, a '+5' (for example) indicates that there was a 5 second gap between the previous log entry and this one.
Here is someone trying to access a web server on this site when there is none. Note that the fake web server on this site redirects them to a legitimate Web server and that unless this activity is repeated, it does not necessarily indicate any mal intent.
204.30.67.199 80 80 1998/03/31 13:49:17 3244 3244:1 listen.pl S0 - - - +0 - - 3244:1 - S0 GET / HTTP/1.0
128.146.27.27 21 21 1998/04/01 06:46:02 5426 5426:1 listen.pl S0 128.146.27.27 21 21 1998/04/01 07:06:14 5458 5458:1 listen.pl S0 - - - +0 - - 5458:1 - S0 user warez^M - - - +1 - - 5458:1 - S0 pass warez^MIn this case, it appears that the tool in use does a scan for FTP servers (at 1998/04/01 06:46:02) and that the user then returns to sites with ftp ports opened to see if Warez software is available. This address corresponds to an IP range that appears to be associated with Ohio State University.
127.0.0.1 21 21 1998/04/01 07:06:14 5458 5458:1 listen.pl S0 - - - +0 - - 5458:1 - S0 user warez^M - - - +3 - - 5458:1 - S0 pass warez^MThe difference is that it took 3 seconds between the user ID and password entries. People are often slower than automated systems, but this is not always a reliable indicator.
127.0.0.1 23 23 1998/04/02 05:34:23 8041 8041:1 listen.pl S0 - - - +3 - - 8041:1 - S1 root - - - +1 - - 8041:1 - S2 toor - - - +2 - - 8041:1 - S3 ls - - - +2 - - 8041:1 - S3 df - - - +4 - - 8041:1 - S3 cat /etc/passwd - - - +0 - - 8041:1 - S4 NOTICE //dtk/notify.pl 23 4 Email fc at all.net Just sent a password file to an attacker - telnet loginNote that in this case an email was generated to fc at all.net indicating that this password file was sent out. Similarly, a beeper can be beeped or other such notices given. Here's what the notice looks like:
From root@all.net Thu Apr 2 05:34:37 1998 Return-Path: root Received: (from root@localhost) by all.net ... Date: Thu, 2 Apr 1998 05:34:36 -0800 From: root. Reply-to: root . Message-Id: <199804021334.FAA08048@all.net> To: fc at all.net Subject: Urgent-Breakin-Attempt 23 4 Email fc at all.net Just sent a password file to an attacker - telnet login
127.0.0.1 25080 25 1998/03/18 18:59:18 27216 24816:4 listen.pl S0 Init - - - +1 - - 24816:4 - S0 NoInput 127.0.0.1 25060 11 1998/03/18 18:59:18 27214 24820:2 listen.pl S0 Init - - - +1 - - 24820:2 - S0 ChildSignal PIPE 127.0.0.1 25066 17 1998/03/18 18:59:18 27215 24819:2 listen.pl S0 Init - - - +1 - - 24819:2 - S0 WeClose 127.0.0.1 21 21 1998/03/18 18:59:21 27250 27250:1 listen.pl S0 127.0.0.1 23 23 1998/03/18 18:59:21 27249 27249:1 listen.pl S0 127.0.0.1 25675 79 1998/03/18 18:59:18 27222 24817:1 listen.pl S0 Init - - - +1 - - 24817:1 - S0 WeClose 127.0.0.1 80 80 1998/03/18 18:59:21 27273 27273:1 listen.pl S0 127.0.0.1 110 110 1998/03/18 18:59:21 27271 27271:1 listen.pl S0
0.0.0.0 11 11 1998/03/18 19:02:19 24820 24820:0 listen.pl S0 PortScan - - - +11 - - 24820:0 - S0 PortScan 0.0.0.0 17 17 1998/03/18 19:02:19 24819 24819:0 listen.pl S0 PortScan - - - +11 - - 24819:0 - S0 PortScan unknown 21 21 1998/03/18 19:02:20 27305 27305:1 listen.pl S0 unknown 23 23 1998/03/18 19:02:20 27306 27306:1 listen.pl S0 0.0.0.0 79 79 1998/03/18 19:02:21 24817 24817:0 listen.pl S0 PortScan - - - +10 - - 24817:0 - S0 PortScan unknown 80 80 1998/03/18 19:02:22 27344 27344:1 listen.pl S0 unknown 110 110 1998/03/18 19:02:22 27345 27345:1 listen.pl S0 unknown 21 21 1998/03/18 19:02:30 27363 27363:1 listen.pl S0 - - - +10 - - 24816:0 - S0 PortScan unknown 23 23 1998/03/18 19:02:30 27364 27364:1 listen.pl S0 unknown 80 80 1998/03/18 19:02:32 27402 27402:1 listen.pl S0 unknown 110 110 1998/03/18 19:02:32 27403 27403:1 listen.pl S0Note that wrappers indicates "Unknown" while listen indicates "0.0.0.0" for the same result.
127.0.0.1 30356 11 1998/03/18 19:04:27 27417 24820:3 listen.pl S0 Init - - - +0 - - 24820:3 - S0 ChildSignal PIPE 127.0.0.1 30727 25 1998/03/18 19:04:27 27419 24816:5 listen.pl S0 Init - - - +0 - - 24816:5 - S0 NoInput 127.0.0.1 30494 17 1998/03/18 19:04:27 27418 24819:3 listen.pl S0 Init - - - +0 - - 24819:3 - S0 WeClose 127.0.0.1 31802 79 1998/03/18 19:04:27 27435 24817:2 listen.pl S0 Init - - - +0 - - 24817:2 - S0 WeClose 127.0.0.1 23 23 1998/03/18 19:04:28 27469 27469:1 listen.pl S0 127.0.0.1 21 21 1998/03/18 19:04:28 27470 27470:1 listen.pl S0 127.0.0.1 80 80 1998/03/18 19:04:28 27475 27475:1 listen.pl S0 127.0.0.1 110 110 1998/03/18 19:04:28 27474 27474:1 listen.pl S0Note that undersized packet scans result in an almost instantaneous "WeClose" , "ChildSignal PIPE" or "NoInput" when it encounters "listen" ports, while TCP wrappers ports give no additional information.
127.0.0.1 2084 11 1998/03/18 19:19:49 27521 24820:4 listen.pl S0 Init - - - +0 - - 24820:4 - S0 ChildSignal PIPE 127.0.0.1 2252 25 1998/03/18 19:19:49 27534 24816:6 listen.pl S0 Init - - - +0 - - 24816:6 - S0 NoInput 127.0.0.1 2114 17 1998/03/18 19:19:49 27533 24819:4 listen.pl S0 Init - - - +0 - - 24819:4 - S0 WeClose 127.0.0.1 3413 79 1998/03/18 19:19:49 27535 24817:3 listen.pl S0 Init - - - +0 - - 24817:3 - S0 WeClose 127.0.0.1 110 110 1998/03/18 19:19:51 27577 27577:1 listen.pl S0 127.0.0.1 80 80 1998/03/18 19:19:51 27579 27579:1 listen.pl S0 127.0.0.1 23 23 1998/03/18 19:19:51 27580 27580:1 listen.pl S0 127.0.0.1 21 21 1998/03/18 19:19:51 27581 27581:1 listen.pl S0Note again the detection information provided by "listen" ports as opposed to wrappers ports.
127.0.0.1 15379 11 1998/03/18 19:25:17 27625 24820:5 listen.pl S0 Init - - - +0 - - 24819:5 - S0 WeClose 127.0.0.1 15395 25 1998/03/18 19:25:17 27627 24816:7 listen.pl S0 Init - - - +0 - - 24816:7 - S0 NoInput 127.0.0.1 15386 17 1998/03/18 19:25:17 27626 24819:5 listen.pl S0 Init - - - +0 - - 24820:5 - S0 ChildSignal PIPE 127.0.0.1 16419 79 1998/03/18 19:25:17 27628 24817:4 listen.pl S0 Init - - - +0 - - 24817:4 - S0 WeClose 127.0.0.1 110 110 1998/03/18 19:25:18 27680 27680:1 listen.pl S0 127.0.0.1 80 80 1998/03/18 19:25:18 27682 27682:1 listen.pl S0 127.0.0.1 23 23 1998/03/18 19:25:18 27683 27683:1 listen.pl S0 127.0.0.1 21 21 1998/03/18 19:25:18 27684 27684:1 listen.pl S0Note again the detection information provided by "listen" ports as opposed to wrappers ports.
127.0.0.1 21 21 1998/03/18 18:53:46 27166 27166:1 listen.pl S0 - - - +8 - - 27166:1 - S0 USER anonymous - - - +0 - - 27166:1 - S1 PASS -wwwuser@ - - - +2 - - 27166:1 - S2 PORT 1,2,3,4,0,1 - - - +0 - - 27166:1 - S2 LIST - - - +0 - - 27166:1 - S2 PORT 1,2,3,4,0,2 ... - - - +0 - - 27166:1 - S2 PORT 1,2,3,4,0,1023 - - - +0 - - 27166:1 - S2 LIST - - - +0 - - 27166:1 - S2 PORT 1,2,3,4,0,1024 - - - +0 - - 27166:1 - S2 LIST ...The PORT commands indicate the attempt to have this machine 127.0.0.1 scan a remote machine (1.2.3.4). The results to the person doing the scan indicates that all ports are open on all machines in any network. An enhanced deception on the FTP port can produce any desired subset and limit results to particular machine classes. For example, the following additions to state 2 of 21.respond are designed to make it appear as if only the machines listed have only the services described:
# State Pattern NexStat Exit lf/file output/filename 2 /^[Pp][Oo][Rr][Tt]\s1,2,3,7,[0-9]+,25/ 2 1 1 220 - OK 2 /^[Pp][Oo][Rr][Tt]\s1,2,3,8,[0-9]+,25/ 2 1 1 220 - OK 2 /^[Pp][Oo][Rr][Tt]\s1,2,3,1[3-5],[0-9]+,53/ 2 1 1 220 - OK ... 2 port 2 1 1 520 - UnreachableThe last line should replace the previous state 2 "port" response. A good deception might follow this up with deception services on those IP addresses and ports, designed to reveal known flaws of different sorts that help determine the attacker's sophistocation level and persistence and help to track the attacker's behavior, capabilities, and source. Note also that the source of the FTP bounce scan is apparent in the log.