The scan for December, 2000. This month's challenge was to decode two exploits launched against the same honeypot in the same morning
The Challenge:
The Results:
On 17 January, Daniel Martin released
an excellent writeup
on the Ramen worm, which bears a remarkable resemblance to this attack.
Writeups from the Honeynet Project members
alert TCP $EXTERNAL 10101 -> $INTERNAL any (msg: "IDS439/probe-myscan"; ttl: >220; ack: 0; flags: S;)
Bonus Question: What is the password of the first account created?
Writeups from the Security Community
Snort signatures, developed by Max Vision, that will detect these scans and
attacks:
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS440/ftp-wuftp260-linux-venglin-parbobek"; flags: AP; content: "|2e2e3131|venglin@";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc-statdx-exploit"; flags: AP; content: "/bin|c74604|/sh";)