[Dshield] spam-maker program & a honeypot hunter too

Andy Streule andy.streule at lythamhigh.lancs.sch.uk
Fri Mar 12 14:10:26 GMT 2004


i wonder how it decides a proxy is a honeypot. 

Just tried with our proxy and it made a connect request to itself on port:25

192.168.0.8 - - [12/Mar/2004:13:54:12 +0000] "CONNECT 192.168.0.8:25
HTTP/1.0" 403 1408 TCP_DENIED:NONE

although connect requests are blocked on our proxy.

~Andy


Frame 21 (89 bytes on wire, 89 bytes captured)
    Arrival Time: Mar 12, 2004 14:05:51.225757000
    Time delta from previous packet: 0.239424000 seconds
    Time since reference or first frame: 3.938612000 seconds
    Frame Number: 21
    Packet Length: 89 bytes
    Capture Length: 89 bytes
Ethernet II, Src: 00:50:ba:b2:3b:35, Dst: 00:10:5a:3b:39:cd
    Destination: 00:10:5a:3b:39:cd (3com_3b:39:cd)
    Source: 00:50:ba:b2:3b:35 (D-Link_b2:3b:35)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.0.8 (192.168.0.8), Dst Addr:
192.168.0.88 (192.168.0.88)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 75
    Identification: 0xeb03 (60163)
    Flags: 0x04
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x8df8 (correct)
    Source: 192.168.0.8 (192.168.0.8)
    Destination: 192.168.0.88 (192.168.0.88)
Transmission Control Protocol, Src Port: 2644 (2644), Dst Port: 3128 (3128),
Seq: 1, Ack: 1, Len: 35
    Source port: 2644 (2644)
    Destination port: 3128 (3128)
    Sequence number: 1
    Next sequence number: 36
    Acknowledgement number: 1
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x4c85 (correct)
Hypertext Transfer Protocol
    CONNECT 192.168.0.8:25 HTTP/1.0\r\n
        Request Method: CONNECT
    \r\n

0000  00 10 5a 3b 39 cd 00 50 ba b2 3b 35 08 00 45 00   ..Z;9..P..;5..E.
0010  00 4b eb 03 40 00 80 06 8d f8 c0 a8 00 08 c0 a8   .K.. at ...........
0020  00 58 0a 54 0c 38 63 f6 02 2d 70 72 27 d3 50 18   .X.T.8c..-pr'.P.
0030  ff ff 4c 85 00 00 43 4f 4e 4e 45 43 54 20 31 39   ..L...CONNECT 19
0040  32 2e 31 36 38 2e 30 2e 38 3a 32 35 20 48 54 54   2.168.0.8:25 HTT
0050  50 2f 31 2e 30 0d 0a 0d 0a                        P/1.0....

-----Original Message-----
From: Buzz [mailto:info at 4201.com]
Sent: 11 March 2004 19:15
To: list at dshield.org
Subject: [Dshield] spam-maker program & a honeypot hunter too


  OK I found the link where I got the spam maker program.  
http://www.send-safe.com

They've changed their web site around a bit since I was last there, and
added something new - a "honeypot hunter" that could be interesting to some 
http://www.send-safe.com/honeypot-hunter.php

Bill



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

***************************************************************************
This e-mail is confidential and privileged.  If you are not the intended
recipient do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its content.
***************************************************************************

***************************************************************************
This email has been checked for known viruses. 
***************************************************************************




More information about the list mailing list