Re: honeypot

---

• From: Bit Twister <BitTwister@xxxxxxxxxxxxxxxx>
• Date: Tue, 04 Apr 2006 09:54:34 -0500

---

On Tue, 04 Apr 2006 15:16:43 +0100, none wrote:

Any ideas for what *can* be done if the abusers ISP is not
interested?

My solution is just use the firewall to block domain ranges and/or
active malware ports without logging.

That allows me to see new malware port hunting. For port numbers
http://www.dshield.org//port_report.php?port=
http://isc.sans.org/port_details.php?port=
http://lists.thedatalist.com/portlist/lookup.php?port=

I use whois ip_addy_here to get ip range values and to see if it is
worth blocking and/or reporting with logs. Universities and businesses
seem to care more so than ISPs.


You appear to be running Fedora Core. I am running Mandriva Linux with
the Shorewall firewall interface. Here is a copy of my blacklist which
drops with out logging.


48.0.0.0-48.255.255.255 # Prudential Securities Inc.
57.0.0.0-57.255.255.255 # SITA-Societe Internationale de Telecommunications Aeronautiques
58.0.0.0/8
60.0.0.0/2
61.128.0.0/10
64.37.192.0-64.37.255.255 # SAVVI-2
64.96.0.0-64.99.255.255 # Critical Path Inc.San Francisco CA
64.106.128.0-64.106.255.255 # DataPipe DP-EWR-NETWORK-3
66.10.0.0-66.10.255.255 # SBC Internet Services SBCIS-SIS80-1005
66.12.0.0-66.15.255.255 # GTE.net LLC VZN-DSL
66.19.0.0-66.19.255.255 # USLEC Corp.
66.28.0.0-66.28.255.255 # Cogent Communications
66.30.48.0-66.30.191.255 # Comcast Cable Communications Holdings, Inc
66.31.0.0-66.31.255.255 # Comcast Cable Communications Holdings, Inc
66.32.0.0-66.32.255.255 # EarthLink Network, Inc.
66.45.192.0-66.45.223.255 # Northwest Telephone NWTI
66.47.0.0-66.47.255.255 # EARTHLINK-2-SDSL
66.59.224.0-66.59.255.255 # LINKLINE-2BLK
66.60.128.0-66.60.191.255 # SUREWEST-INTERNET Roseville CA
66.71.128.0-66.71.191.255 # Network Application Services, Inc.
66.72.0.0-66.73.255.255 # SBC Internet Services SBCIS-SIS80
66.86.0.0-66.86.255.255 # Qwest Broadband Services Inc. Denver CO
66.88.0.0-66.89.255.255 # XO Communications Reston VA
66.104.0.0-66.107.255.255 # XO Communications Reston VA
66.110.224.0-66.110.255.255 # North State Telephone Co High Point NC
66.112.0.0-66.112.127.255 # CenturyTel Internet Holdings, Inc Monroe LA
66.117.0.0-66.117.255.255 # UNKNOWN
66.118.128.0-66.118.191.255 # Sago Networks Tampa FL
66.120.0.0-66.127.255.255 # SBC Internet Services SBCIS-SIS80
66.130.0.0-66.131.255.255 # Le Groupe Videotron Ltee VL-9BL
66.134.0.0-66.134.255.255 # Covad Communications Co. San Jose CA
66.136.0.0-66.143.255.255 # SBC Internet Services SBCIS-SIS80
66.144.0.0-66.145.255.255 # State of Ohio Network Columbus OH
66.150.0.0-66.151.255.255 # Internap Network Services Atlanta GA
66.159.192.0-66.159.255.255 # DSL Extreme
66.161.128.0-66.161.255.255 # Fuse Internet Access
66.170.0.0-66.170.31.255 # SupraNet Communications, Inc. Madison Wi
66.178.0.0-66.178.127.255 # New Skies Satellites N.V.
66.179.0.0-66.179.255.255 # Inflow NFLO-AR-3
66.202.128.0-66.202.191.255 # Regus Business Centers Purchase NY
66.202.192.0-66.202.255.255 # Davenport University
66.209.160.0-66.209.175.255 # Kentucky Educational Computing Network
66.212.96.0-66.212.127.255 # I. T. Partners, Inc.
66.214.0.0-66.215.255.255 # Charter Communications CHARWR-02
66.231.0.0-66.231.255.255 # UNKNOWN
66.233.0.0-66.233.255.255 # UNKNOWN
66.236.0.0-66.239.255.255 # XOX1-BLK-2
67.43.224.0-67.43.239.255 # GloboTech Communications
70.144.0.0-70.159.255.255 # BellSouth.net Inc.
71.240.0.0-71.255.255.255 # Verizon Internet Services Inc.
82.52.0.0-82.55.255.255 # Telecom Italia S.p.A. TIN EASY LITE
87.64.0.0-87.67.255.255 # Belgacom Skynet
90.0.0.0-90.255.255.255 # RIPE Network Coordination Centre
92.0.0.0-95.255.255.255 # Internet Assigned Numbers Authority
124.0.0.0/6
126.0.0.0/8
159.226.0.0-159.226.255.255 # imported inetnum object for CNCCAS
172.128.0.0/10 # America Online (AOL)
175.0.0.0-175.255.255.255
177.0.0.0-177.255.255.255 # Internet Assigned Numbers Authority
196.23.0.0-196.26.255.255 # African Network Information Center
200.0.0.0/6
204.16.208.0-204.16.211.255 # FAST COLOCATION SERVICES Wasilla AK
206.22.0.0-206.22.255.255 # Automatic Data Processing Itasca IL
206.97.32.0-206.99.119.255 # Savvis Cary NC
206.154.56.0-206.157.255.255 # Savvis
210.0.0.0/7
218.0.0.0/7
220.0.0.0/6
221.208.0.0/14 # CNCGROUP Heilongjiang Province Network


0.0.0.0/0 udp 1025:1035
0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero
0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero
0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp
0.0.0.0/0 tcp 4899 # Remote Administrator port
0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer
0.0.0.0/0 tcp 42 # Host Name Server
0.0.0.0/0 tcp 111 # SUN Remote Procedure Call Ramen worm expoit
0.0.0.0/0 tcp 106 # 3COM-TSMUX
0.0.0.0/0 tcp 143 # Internet Message Access Protocol
0.0.0.0/0 tcp 515 # spooler Ramen worm expoit
0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint)
0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor
0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server
0.0.0.0/0 tcp 2745 # W32/Bagle.j@MM Virus backdoor
0.0.0.0/0 tcp 3127 # ctx-bridge, W32/MyDoom, W32.Novarg.A backdoor
0.0.0.0/0 tcp 3306 # MySQL
0.0.0.0/0 tcp 3389 # MS WBT Server
0.0.0.0/0 tcp 3410 # Backdoor.OptixPro.12
0.0.0.0/0 tcp 4000 # Skydance, Connect-BackBackdoor
0.0.0.0/0 tcp 5110 # Turkish trojan ProRat
0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server
0.0.0.0/0 udp 5631 # pcANYWHEREdata
0.0.0.0/0 tcp 5800 # vnc
0.0.0.0/0 tcp 6129 # Dameware Remote Admin
0.0.0.0/0 tcp 6348 # Gnutella works on this port too
0.0.0.0/0 udp 6348 # Gnutella works on this port too
0.0.0.0/0 tcp 9898 # dabber, MonkeyCom
0.0.0.0/0 udp 9200 # WAP connectionless session servic
0.0.0.0/0 tcp 2100 # Amiga Network Filesystem
0.0.0.0/0 tcp 27374 # Bad Blood, SubSeven , SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8
0.0.0.0/0 udp 33436 #
0.0.0.0/0 udp 33437 #
0.0.0.0/0 udp 33440 #
0.0.0.0/0 udp 33436 #
0.0.0.0/0 tcp 32773 # Sometimes an RPC port on Solaris box (rquotad)
0.0.0.0/0 tcp 11768 # DIPNET trojan/backdoor
0.0.0.0/0 tcp 15118 #
0.0.0.0/0 tcp 17300 # Kuang2 the virus
.

---

• References:
  • honeypot
    • From: none
  • Re: honeypot
    • From: Bit Twister
  • Re: honeypot
    • From: none

• Prev by Date: Re: honeypot
• Next by Date: Re: honeypot
• Previous by thread: Re: honeypot
• Next by thread: Re: honeypot
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: excessive TCP dulplicate acks revisted ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ... (freebsd-current) excessive TCP dulplicate acks revisted ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ... (freebsd-current) Re: uucp via tcp through firewall fails ... >and now uucp via tcp fails. ... >UNIX system. ... as bad as having it directly exposed to the internet. ... recall that I had to enable ident and open a port for it 113/TCP. ... (comp.unix.sco.misc) Re: XP networking without NetBIOS or Active Directory ... As far as a gateway firewall, unless you are providing services to internet ... users on your network, it is best to leave the default block all uninitiated ... tcp, 80 tcp for http, and 443 tcp for https allowed for basic web browsing ... (microsoft.public.win2000.networking) Re: Newbie DNS resolution question ... > up and running from the Internet. ... > third-party web hosting company, ... In your router, forward incoming requests on port 80 TCP 443 TCP for SSL, to ... (microsoft.public.windows.server.dns)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)