Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search

[REBOL] Re: Network Guru...

From: ryanc:iesco-dms at: 14-Dec-2001 9:41

I might got just what you looking for. It is a scan detection utility I made when I was researching hackers. It doesnt listen to many ports under windows 98--10 I think. Runs fine under linux though. Probably would run fine under under NT/2000 too. My experience with these guys is that if they detect an open port, they come back and try it again. So using this program attracts hackers. Worse yet, sometimes they mistake this progam for a real service, and they may flood you with futile attacks. It was worthwhile risk for me, as it gave me all kinds of information about hackers. Interestingly, I found during my three months of testing, it seemed almost all attackers knew only one hack, obviously script kiddies. Only a few knew two or three. It seems real hackers are hard to find. Another interesting thing is that only a few of the 30 or so admins I contacted about their hacked machines ever replied to my emails. Most of those machines had all the signs of a default install. Most those machines where ran by US and oriental companies, and US universities. Could make for some fascinating investigative reporting. Here is a link to my program: You might try this using this ini file, it is setup to listen on the most commonly hacked ports. USE AT YOUR OWN RISK!!! --Ryan Porter Woodward wrote:
> Hi - > > I trying to track down a persistent series of probes against systems at my > home. I'm an XO DSL subscriber (tho not for long with the way things are > going) - and have a 24/7 connection. I run ZoneAlarm on my Windows > systems - and that's what has alerted me to a series of probes, coming from > XO's own network. > > Essentially I see a probe from their news server on port 1080 every 30 - 60 > minutes. 1080 is commonly used as a proxy port under Windows for Internet > Connection Sharing via Proxy. Naturally this port is not open on my > system - and ZA lets me know that something just tried to talk to me. I > also periodically see probes from old Code-Red (I'm sometimes running a > web-server, not IIS, so I can tell by looking at the logs). > > Here's my problem - I've taken the proxy server from the scripts section of >, and told it to listen to port 1080 - and I get hits on it. But - > they aren't looking for a URL, or contacting me to use it as a proxy. So - > it's not real clear what they are trying to send out. I did create a > stripped down server, and used 'copy to print out the probe - but that was > singularly unrevealing. Has any one got a better way to setup a server port > to just listen to the inbound packets and record them? > > - Porter Woodward > > PS: I've contact XO's security team twice about this, and the probes are > still going strong 2 months later! I just want to find out what is coming > in. It could be a curious little security breach that would be good to know > about. > > -- > To unsubscribe from this list, please send an email to > [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Ryan Cole Programmer Analyst 707-468-5400 The contradiction so puzzling to the ordinary way of thinking comes from the fact that we have to use language to communicate our inner experience which in its very nature transcends lingistics. -D.T. Suzuki