[Full-disclosure] Strange repeating probes to port 80
- From: boris mutina <boris.mutina@xxxxxxxxx>
- Date: Tue, 27 Oct 2009 09:12:57 +0100
Dear list readers,
for unknown reason I decided to create very lame honeypot. I took WXP,
enabled IIS and forwarded ports 80 and 135 (both TCP and UDP). Then I
started IIS logging and started Wireshark to capture everything on the
wire. I was not expecting any special result but what I got is
something I cannot explain.
packet to the honeypot port 80. Honeypot responds with SYN/ACK andFrom remote host there is a communication request represented by SYN
before it receives ACK, UDP datagram to port 80 is received from that
host with payload of length of 19 bytes (sometimes it is 20 or even 21
bytes, dunno why). Then after ACK from remote host TCP data is sent
(it appears like HTTP data but it is not), usually with variable
length of 20-80 bytes or so. Honeypot sends ACK to this, then there is
a 59 seconds delay and then FIN/ACK from remote host followed by ACK
and FIN/ACK by honeypot and ACK by remote host.
Strange things i cannot explain are these:
1. UDP payload 3rd byte is always 02
2. I tried to connect back to these systems using netcat to the
portnumber from which the UDP datagram came from: I tried this:
ross@rommy:~$ nc 93.113.XXX.XXX 56856
GET / HTTP/1.0
HTTP/1.0 404 Not Found
3. Tried this:
ross@rommy:~$ nc 93.116.XXX.XXX 56856
HEAD / HTTP/1.0
4.Now the most crazy thing is, that these "probes" repeat in
relatively precise time interval - 7220 seconds.
Can anybody explain me, what the heck is going on? Or am I just
chasing a ghost? I can send the data sample upon request.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] Cherokee Web Server 0.5.4 Denial Of Service
- Next by Date: [Full-disclosure] Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation
- Previous by thread: [Full-disclosure] Cherokee Web Server 0.5.4 Denial Of Service
- Next by thread: [Full-disclosure] Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation