From: dtk@all.net Reply-to: dtk@all.net Organization: Deception ToolKit Mailing List Subject: DTK Mailing List 19990412
--------------------------------------------- Date: Mon, 12 Apr 1999 17:14:56 -0700 From: Frank KeeneySubject: Probes on TCP 10752 A few months ago I started seeing probes to TCP port 10752. So I created a decption to find out what was being attempted. I was told that this was a backdoor that is installed after a successful buffer overflow. I've also added a deception for UDP 111. First you see the attempts on UDP 111, then TCP 10752 and then a telnet attempt. You see this pattern twice since this host has more than one ip address. --------------------------------------------------------------------------------- 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(954):7v^\s 24.4.79.47 30793 10752 13874 534:1 listen.pl S0 Init 24.4.79.47 30793 10752 13874 534:1 listen.pl S0 trap '' SIGALRM SIGTRAP 24.4.79.47 30793 10752 13874 534:1 listen.pl S0 PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH 24.4.79.47 30793 10752 13874 534:1 listen.pl S0 /usr/sbin/rpc.mountd >/etc/passwd;rm -rf /etc/securetty;exit; 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 moof 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 mooof 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 moof 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 moof 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 moof 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 moof 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 moof 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 23 23 13966 13966:1 Telnet.pl S0 moof 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(966):7v^]N 24.4.79.47 30795 10752 14394 534:2 listen.pl S0 Init 24.4.79.47 30795 10752 14394 534:2 listen.pl S0 trap '' SIGALRM SIGTRAP 24.4.79.47 30795 10752 14394 534:2 listen.pl S0 PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH 24.4.79.47 30795 10752 14394 534:2 listen.pl S0 /usr/sbin/rpc.mountd >/etc/passwd;rm -rf /etc/securetty;exit; 24.4.79.47 23 23 14407 14407:1 Telnet.pl S0 24.4.79.47 23 23 14407 14407:1 Telnet.pl S0 moof 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(1010):7tH^H 24.4.79.47 111 111 570 570:1 UDPlisten.pl S0 24.4.79.47(1010):7tH^H I've since added the userid moof to the telnet deception. 10752.response: # listens to input and records it - useful for learning what to expect from a protocol #State Input Next Cont CRLF Message #------------------------------------------------------------------------------ UDP START UDP 1 1 UDP ERROR UDP 1 1 UDP NIL UDP 1 1 0 START 0 1 1 0 ERROR 0 1 1 0 NIL 0 1 1 111.response: # listens to input and records it - useful for learning what to expect from a protocol #State Input Next Cont CRLF Message #------------------------------------------------------------------------------ UDP START UDP 1 1 UDP ERROR UDP 1 1 UDP NIL UDP 1 1 0 START 0 1 1 0 ERROR 0 1 1 0 NIL 0 1 1 No need to post this anonymously. The host is not at Home Savings of America. :-) -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frank Keeney, Network Services, Home Savings of America +1 626-814-5080 mailto:fkeeney@hsa.com +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------