Check it. I've mentioned in my last e-mails that I run a complex honeypot network. I use
honeyd and THP to fake multiple boxes and services. Services are below.
telnet
ftp
web
ssh
mydoom infected machine
kuang2 infected machine
SMTP tcpnice type service
a few fake root shells
All spread out with arpd/xinetd across 6 virtual boxes. With p0f running :)
Why? To catch 0-day and public known exploits for the purpose of configuring services (also custom
clamd sigs :) and hexediting value (noob here still). There are other cool things that are found in the moment
that I can't seem to think of now ;)
Question is this. Many times I've caught malicious uploads (mydoom, Exploit.DCOM.Gen and auto-rooters (ftp, HTTP, telnet...)
from the 209.112.128.0 - 209.112.223.255 netrange, which is ACS. Often the address concerned is knocking on multiple
ports with multiple exploits; he's really infected. So what do I do with this info? I once forwarded this stuff to ACS; I think it did
no good. Do they even care (I know it's busy there)? From a ISP perspective, I think, this info could be really
usefull in the area of customer servicing/service. Plus, it could cut down on the amount of useless traffic across
their netrange (Hell of alot may I add!). Also, if someone had an evil heart they could whack these poor boxes too.
Heck, all the fingerprinting/target searching is taking care of, they come to the dirt bag. lol. I'm lost on what to do, I
appreciate the info for my own leanring curve, but maybe this info is usefull somewhere else too. Often handing out info
increases our own...
Whatcha think? Should I remain silent? Or speak up at the risk of sounding like an arrogant customer (thus ignored)? Any other
direction I may take? (be nice! lol)
Curious, thanks for you time,
eddie
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jun 25 15:42:52 2004
This archive was generated by hypermail 2.1.8 : Fri Jun 25 2004 - 15:42:54 AKDT