From: dtk@all.net Reply-to: dtk@all.net Organization: Deception ToolKit Mailing List Subject: DTK Mailing List 19990409
--------------------------------------------- Subject: Where probes on my systems come from: From: Fred CohenDate: Fri, 9 Apr 1999 19:44:44 -0700 (PDT) I thought the readers might be interested in how many probes DTK detects on my (once random and unknown) Internet site, and where they come from. Here they are... representing attempts over a 5-month period (give or take). Total records - about 1500 records over 150 days, or an average of 10 records per day. Each attempt - on average takes about 2 records for an average of about 5 attempts per day. Service Records Name of service 11 23 systat 110 66 pop3 1111 99 who knows 12345 221 Netbus 12346 8 Netbus 17 27 quotd 2049 3 random port scan detection 21 271 ftp 23 302 telnet 25 274 smtp 365 71 DTK 421 36 wrappers attack 5999 1 random port scan detection 6001 8 X11 70 4 gopher 79 61 finger 8000 2 non-system web service 893 2 random port scan detection Attempts IP 72 0.0.0.0 4 12.2.182.121 1 12.21.81.153 3 12.23.140.208 3 12.65.0.223 3 12.65.17.171 3 12.72.3.205 5 12.72.33.194 24 12.72.65.219 4 12.74.55.206 3 128.160.51.28 110 128.61.37.64 3 129.128.153.50 7 129.128.7.132 3 129.130.12.27 1 129.132.134.7 3 130.107.1.160 1 130.107.4.181 3 130.244.111.20 4 131.107.3.78 5 134.184.26.12 7 134.39.59.45 95 134.39.59.53 54 135.53.2.10 1 137.43.13.13 3 140.192.55.6 3 140.254.32.151 5 142.104.104.147 3 144.170.184.197 3 147.188.128.16 6 148.81.145.175 3 151.200.196.69 4 151.200.196.72 3 152.204.9.142 4 152.66.112.30 1 153.36.72.182 2 153.37.134.7 81 153.37.164.65 1 153.37.88.93 1 153.37.91.69 1 156.46.215.17 1 156.46.215.64 6 158.43.128.105 99 158.61.55.124 3 163.187.160.154 3 163.30.126.37 3 165.123.243.13 3 165.189.7.203 3 166.55.89.20 9 168.191.177.223 11 169.204.41.163 3 169.207.130.10 11 171.208.201.110 29 171.209.12.126 3 171.72.5.14 2 192.117.187.167 3 192.188.14.22 6 192.94.3.4 3 193.102.107.4 6 193.12.178.202 3 193.12.91.40 2 193.171.119.146 3 193.210.201.74 2 193.226.5.35 3 193.226.61.137 8 193.229.159.4 6 193.230.245.1 1 193.252.148.250 3 194.109.149.115 203 194.112.62.107 6 194.125.146.39 15 194.133.143.41 3 194.134.10.205 2 194.158.99.46 3 194.165.253.43 22 194.176.208.133 173 194.183.121.20 3 194.196.222.210 3 194.202.45.253 5 194.230.6.201 3 194.35.180.194 3 194.42.65.2 3 194.83.240.15 3 195.10.18.139 2 195.100.253.88 3 195.110.84.34 6 195.114.240.137 9 195.154.129.234 3 195.165.1.11 2 195.168.2.88 1 195.180.108.117 12 195.188.192.18 4 195.193.25.73 3 195.197.160.4 11 195.224.224.32 3 195.230.216.77 58 195.235.75.10 3 195.29.234.212 6 195.34.133.60 3 195.4.158.35 3 195.46.161.212 4 195.5.146.97 3 195.60.225.4 3 195.76.37.79 3 195.82.213.45 2 196.29.32.160 28 198.138.224.52 2 198.178.8.81 6 198.202.130.18 2 198.236.217.30 5 198.59.162.24 23 198.59.176.178 37 200.10.106.52 3 200.230.228.50 12 200.245.200.210 3 200.249.217.96 2 200.9.235.167 10 202.244.38.38 6 202.27.183.51 3 202.54.125.172 1 202.99.8.184 2 203.228.173.253 3 203.229.239.252 12 203.24.110.220 12 203.24.205.3 3 203.25.110.2 3 203.30.128.25 3 203.55.206.106 6 204.151.245.2 3 204.181.176.127 3 204.202.55.99 12 204.239.167.252 2 204.248.209.241 2 204.30.67.118 2 204.30.67.161 2 204.30.67.44 2 204.30.67.49 1 204.30.67.97 2 204.31.111.119 2 204.32.138.149 13 204.7.229.1 1 204.7.229.11 27 204.7.229.9 1 205.152.247.8 3 205.156.238.59 5 205.186.65.35 2 205.186.65.45 2 205.186.65.46 3 205.186.65.61 2 205.186.65.62 2 205.186.65.70 3 205.186.65.73 3 205.188.154.6 6 206.103.96.62 29 206.156.18.122 7 206.170.18.16 6 206.222.3.167 3 206.243.130.10 6 206.243.224.119 12 206.243.225.143 3 206.25.39.61 1 206.30.26.108 2 207.105.40.151 3 207.155.168.65 3 207.158.192.37 3 207.164.200.5 3 207.208.140.108 2 207.221.169.170 3 207.228.121.102 3 207.24.148.12 2 207.248.10.225 6 207.253.153.32 3 207.3.92.252 75 207.32.0.245 6 207.70.140.66 12 207.87.178.66 1 207.98.132.249 2 207.98.132.94 7 208.139.193.23 1 208.149.16.40 3 208.150.116.104 1 208.162.126.95 8 208.231.34.82 3 208.237.196.36 6 208.251.138.243 3 208.254.232.45 3 208.255.155.192 1 208.26.242.94 2 208.28.232.155 3 209.1.49.196 2 209.101.124.121 11 209.142.74.228 7 209.153.180.13 11 209.156.187.153 6 209.164.148.57 3 209.178.2.138 3 209.178.3.125 1 209.180.214.199 1 209.191.52.1 22 209.214.37.126 3 209.241.150.85 3 209.4.146.134 18 209.4.146.37 3 209.4.146.41 3 209.4.146.54 6 209.43.130.175 6 209.43.17.160 3 209.57.81.200 24 209.64.37.84 6 209.75.196.2 2 209.76.211.46 1 209.81.180.236 3 209.81.203.36 3 209.81.229.95 3 209.88.68.48 3 209.90.146.74 4 209.94.148.94 15 210.103.218.13 3 212.216.38.195 3 212.216.64.117 6 212.228.218.123 2 216.13.11.225 3 24.0.122.137 3 24.0.16.99 2 24.0.204.222 3 24.0.212.171 2 24.0.231.129 14 24.0.231.43 15 24.0.26.35 2 24.0.48.90 3 24.0.74.99 2 24.0.84.56 2 24.1.142.157 6 24.1.160.34 4 24.1.18.31 7 24.1.213.0 1 24.1.214.15 2 24.1.214.99 2 24.1.227.239 54 24.1.84.100 7 24.1.84.68 6 24.1.88.91 3 24.108.11.70 4 24.108.5.134 3 24.112.109.24 2 24.112.116.130 1 24.112.87.174 2 24.113.41.239 2 24.113.42.118 2 24.113.67.147 68 24.128.48.212 4 24.131.165.134 3 24.2.9.36 2 24.237.1.120 2 24.3.116.203 2 24.3.122.3 3 24.4.115.151 3 24.4.252.129 5 24.4.65.6 2 24.4.91.80 4 24.64.14.65 2 24.64.221.23 1 24.88.41.77 51 24.93.99.15 6 24.93.99.246 3 32.100.104.179 15 32.100.149.100 3 32.97.136.233 3 38.11.197.252 2 38.11.201.23 2 38.14.43.74 7 38.157.181.87 75 38.214.24.2 6 38.231.129.66 3 38.27.175.116 7 38.27.216.217 2 4.10.60.146 2 62.200.34.68 Also... I thought you would like to know what the cgi-bin exploiters are now looking for. First a port scan... '209.142.33.65', '20949', '79', '1999/04/10 16:55:49', '21004', '148', '6', 'listen.pl', 'S0', 'R-Peace', 'Init' '209.142.33.65', '20949', '79', '1999/04/10 16:55:49', '21004', '148', '6', 'listen.pl', 'S0', 'RIndicators-Indicators', 'WeClose' '209.142.33.65', '110', '110', '1999/04/10 16:55:52', '21005', '21005', '1', 'Generic.pl', 'S0', 'R-Peace', 'root in.pop3d unknown' '209.142.33.65', '21', '21', '1999/04/10 16:55:53', '21008', '21008', '1', 'Generic.pl', 'S0', 'R-Peace', 'root wu.ftpd unknown' '209.142.33.65', '110', '110', '1999/04/10 16:55:53', '21005', '21005', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit' '209.142.33.65', '21', '21', '1999/04/10 16:55:53', '21008', '21008', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit' '209.142.33.65', '25', '25', '1999/04/10 16:55:53', '21006', '21006', '1', 'Generic.pl', 'S0', 'R-Peace', 'root in.smtpd unknown' '209.142.33.65', '25', '25', '1999/04/10 16:55:58', '21006', '21006', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit' '209.142.33.65', '110', '110', '1999/04/10 16:56:08', '21022', '21022', '1', 'Generic.pl', 'S0', 'R-Peace', 'root in.pop3d unknown' '209.142.33.65', '25', '25', '1999/04/10 16:56:12', '21023', '21023', '1', 'Generic.pl', 'S0', 'R-Peace', 'root in.smtpd unknown' Then - when port 80 is found... This tool looks like it uses a series of get commands with a 5-second sleep between attempts to detect cgi-bin scripts. '1999/04/10 16:56:01','Allow','209.142.33.65','root','thttpd','Internet','','' '1999/04/10 16:56:17','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/phf '1999/04/10 16:56:25','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/Count.cgi '1999/04/10 16:56:39','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/test-cgi '1999/04/10 16:56:44','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/php.cgi '1999/04/10 16:56:51','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/handler '1999/04/10 16:57:07','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/webgais '1999/04/10 16:57:12','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/websendmail '1999/04/10 16:57:17','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/webdist.cgi '1999/04/10 16:57:24','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/faxsurvey '1999/04/10 16:57:31','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/htmlscript '1999/04/10 16:57:47','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/pfdisplay.cgi '1999/04/10 16:57:52','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/perl.exe '1999/04/10 16:57:57','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/wwwboard.pl Then a finger... '209.142.33.65', '11147', '79', '1999/04/10 16:59:15', '21109', '148', '7', 'listen.pl', 'S0', 'R-Peace', 'Init' '209.142.33.65', '11147', '79', '1999/04/10 16:59:15', '21109', '148', '7', 'listen.pl', 'S0', 'RIndicators-Indicators', 'WeClose' Then... '1999/04/10 16:59:22','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/ews/ews/architext_query.pl '1999/04/10 16:59:30','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/jj '1999/04/10 16:59:31','Allow','209.142.33.65','root','thttpd','Internet','','' Note... The cgi-bin data was run through a different Web server I have that does not fake CGI-BIN responses. -- Fred Cohen & Associates: http://all.net - fred at all.net - tel/fax:925-454-0171 Have a great day!!! --------------------------------------------- [Note - anyone else wanting to provide statistics, they will also be anonymized for your protection] From: Subject: prosecution, dtk and current events Date: Fri, 9 Apr 1999 17:24:15 -0700 Fred, Has any dtk user successfully prosecuted intrusion attempts onto the dtk server or has the use generally been intelligence gathering? BTW, I started to look at an ftp server and for 1Q99 I had 49 password attacks. 12 in Jan 16 in Feb 21 in Mar (number was climbing until i put up ACL) 88% or 43 were from external sites (only traced back to 1st IP) 12 Foreign 28 Domestic Total 46 password cracking attacks Total 03 password guessing attacks (Hungary, Israel, Orange CO, CA) 347 other incidents browsing and downloading "interesting" files connecting but not taking any files unknown number of ftpd buffer overflow attempts Interesting to note that after the ACL was in place restricting anonymous access, I denied 900 access attempts in 9 days. Source IPs included: Macedonia, Slovakia, South Africa, Denmark, Canada, Italy, Finland, Israel, Spain, Thailand, Chile, Austria, Australia, Japan, Argentina, Brazil etc . . . Some of the sites will respond quickly to cute or humorous access denial messages which gives you some idea of the wetware behind them. Others appear automated. One thing for sure is that something is up. Alot of this could be diversionary because it really makes no sense unless the goal is to raise the noise level. On the other hand LOTs of data is being collected and depending upon how it gets put together there may be trouble brewing for 1 january 2000. ---------------------------------------------