AKLUG Archive: Re: spyware question

From: W.D.McKinney <deem@wdm.com>
Date: Fri Jun 25 2004 - 15:50:25 AKDT

>-----Original Message-----
>From: captgoodnight@acsalaska.net [mailto:captgoodnight@acsalaska.net]
>Sent: Friday, June 25, 2004 11:43 PM
>To: aklug@aklug.org
>Subject: spyware question
>
>
>Check it. I've mentioned in my last e-mails that I run a complex honeypot network. I use
>honeyd and THP to fake multiple boxes and services. Services are below.
>
>telnet
>ftp
>web
>ssh
>mydoom infected machine
>kuang2 infected machine
>SMTP tcpnice type service
>a few fake root shells
>
>All spread out with arpd/xinetd across 6 virtual boxes. With p0f running :)
>
>Why? To catch 0-day and public known exploits for the purpose of configuring services (also custom
>clamd sigs :) and hexediting value (noob here still). There are other cool things that are found in the moment
>that I can't seem to think of now ;)
>
>Question is this. Many times I've caught malicious uploads (mydoom, Exploit.DCOM.Gen and auto-rooters (ftp, HTTP, telnet...)
>from the 209.112.128.0 - 209.112.223.255 netrange, which is ACS. Often the address concerned is knocking on multiple
>ports with multiple exploits; he's really infected. So what do I do with this info? I once forwarded this stuff to ACS; I think it did
>no good. Do they even care (I know it's busy there)? From a ISP perspective, I think, this info could be really
>usefull in the area of customer servicing/service. Plus, it could cut down on the amount of useless traffic across
>their netrange (Hell of alot may I add!). Also, if someone had an evil heart they could whack these poor boxes too.
>Heck, all the fingerprinting/target searching is taking care of, they come to the dirt bag. lol. I'm lost on what to do, I
>appreciate the info for my own leanring curve, but maybe this info is usefull somewhere else too. Often handing out info
>increases our own...
>
>Whatcha think? Should I remain silent? Or speak up at the risk of sounding like an arrogant customer (thus ignored)? Any other
>direction I may take? (be nice! lol)
>
>

I just asked ACS Internet about some ports that were being stopped IE.
a news feed (NNTP) and they replied via e-mail saying that no specific ports are being blocked.

Hmmmm... maybe it would be good to stick your head above the weeds.

Dee

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jun 25 15:49:56 2004

This archive was generated by hypermail 2.1.8 : Fri Jun 25 2004 - 15:49:58 AKDT