[Dshield] Honey pot captures on port 1433

Jon R. Kibler Jon.Kibler at aset.com
Wed May 22 16:11:23 GMT 2002

Several weeks ago we set a honey pot on port 1433. We have captured several examples of the attack. There appears to be three different patterns. This somewhat agrees with other postings I have seen to the list, but we have seen some variations. These variations may be due to the dumbness of our honey pot.

Hits on 1433 fall into three categories:
	1) Immediately drop the connection as soon as the honey pot tries to read on the port.
	2) Two data transfers: 512 bytes followed by 71 bytes, followed by connection closing.
	3) A single data transfer of 52 bytes followed by the connection closing.

There seems to be several differences among each connection's data -- probably due to the originating IP, but also it sometimes appears that there are different worms attacking. 

I am attaching a tar.gz file containing some samples. The *.sp files are the actual data captures and the *.tx files are the strings extracts from the corresponding *.sp files.

Hope this helps. Please let me know your conclusions.

Jon R. Kibler
Systems Architect
Jon.Kibler at aset.com

Advanced Systems Engineering Technology, Inc.
389 Johnnie Dodds Blvd., Suite 205
Mt. Pleasant, SC 29464-2969  (Charleston)

Phone:	(843) 849-8214
Fax:	(843) 849-8215
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port1433.tar.gz
Type: application/x-gzip
Size: 710 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020522/2c65db05/port1433.tar.bin

More information about the list mailing list