[REBOL] Re: Network Guru...
From: ryanc:iesco-dms at: 14-Dec-2001 9:41
I might got just what you looking for. It is a scan detection utility I made
when I was researching hackers. It doesnt listen to many ports under windows
98--10 I think. Runs fine under linux though. Probably would run fine under
under NT/2000 too.
My experience with these guys is that if they detect an open port, they come
back and try it again. So using this program attracts hackers. Worse yet,
sometimes they mistake this progam for a real service, and they may flood you
with futile attacks. It was worthwhile risk for me, as it gave me all kinds of
information about hackers.
Interestingly, I found during my three months of testing, it seemed almost all
attackers knew only one hack, obviously script kiddies. Only a few knew two or
three. It seems real hackers are hard to find.
Another interesting thing is that only a few of the 30 or so admins I contacted
about their hacked machines ever replied to my emails. Most of those machines
had all the signs of a default install. Most those machines where ran by US and
oriental companies, and US universities. Could make for some fascinating
investigative reporting.
Here is a link to my program:
http://www.sonic.net/~gaia/misc/scan-det/scan-det.r
You might try this using this ini file, it is setup to listen on the most
commonly hacked ports.
http://www.sonic.net/~gaia/misc/scan-det/scan-det.ini
USE AT YOUR OWN RISK!!!
--Ryan
Porter Woodward wrote:
> Hi -
>
> I trying to track down a persistent series of probes against systems at my
> home. I'm an XO DSL subscriber (tho not for long with the way things are
> going) - and have a 24/7 connection. I run ZoneAlarm on my Windows
> systems - and that's what has alerted me to a series of probes, coming from
> XO's own network.
>
> Essentially I see a probe from their news server on port 1080 every 30 - 60
> minutes. 1080 is commonly used as a proxy port under Windows for Internet
> Connection Sharing via Proxy. Naturally this port is not open on my
> system - and ZA lets me know that something just tried to talk to me. I
> also periodically see probes from old Code-Red (I'm sometimes running a
> web-server, not IIS, so I can tell by looking at the logs).
>
> Here's my problem - I've taken the proxy server from the scripts section of
> rebol.com, and told it to listen to port 1080 - and I get hits on it. But -
> they aren't looking for a URL, or contacting me to use it as a proxy. So -
> it's not real clear what they are trying to send out. I did create a
> stripped down server, and used 'copy to print out the probe - but that was
> singularly unrevealing. Has any one got a better way to setup a server port
> to just listen to the inbound packets and record them?
>
> - Porter Woodward
>
> PS: I've contact XO's security team twice about this, and the probes are
> still going strong 2 months later! I just want to find out what is coming
> in. It could be a curious little security breach that would be good to know
> about.
>
> --
> To unsubscribe from this list, please send an email to
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Ryan Cole
Programmer Analyst
www.iesco-dms.com
707-468-5400
The contradiction so puzzling to the ordinary way
of thinking comes from the fact that we have to use
language to communicate our inner experience
which in its very nature transcends lingistics.
-D.T. Suzuki
