[Dshield] Increase in Sub Seven's

Thomas Liston tliston at premmag.com
Tue Jun 18 19:26:21 GMT 2002

If I were you, I'd try LaBrea... ;-)

See http://www.hackbusters.net

There is a nice perl module that makes tracking connections to the 
tarpit and reporting to DShield easy.

if that isn't your cup o' tea, see Lance Spitzner's site:


for more information on honeypots in general.


On 18 Jun 2002 at 13:57, Paul Marsh wrote:

> Speaking of honeypots, I want to create one.  Are there any sites out there
> that talk about configuring one and what tools I should use to capture any
> and all data.
> Thanx, Paul
> -----Original Message-----
> From: Johannes Ullrich [mailto:jullrich at sans.org]
> Sent: Tuesday, June 18, 2002 10:12 AM
> To: list at dshield.org
> Cc: Mdlijster at prioritytelecom.com
> Subject: Re: [Dshield] Increase in Sub Seven's
> > Yes, I get them too, but since may and from all over the globe.
> > But it seems they come in "batches". Some day's I see five to ten of them,
> some days none.
> > In May I even had Sub Seven's arriving, directly followed by Netbus's from
> the same addresses.
> Does anybody have honeypot captures of this activity? If you
> need my good old perl honeypot, let me know. Subseven probes
> usually come from IRC bots and try to get SubSeven to download
> some other piece of malware.
> -- 
> ---------------------------------------------------------------
> jullrich at sans.org             Collaborative Intrusion Detection
>                                     join http://www.dshield.org

Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net

More information about the list mailing list