PornoSatan
2[H]4U
- Joined
- Sep 3, 2004
- Messages
- 3,493
So with everyone behind firewalls these days that autoblock unsolicited requests, I was kinda curious what actually is going on if you 'expose' a system to the net. These are the results.
I made this little script which binds netcat to a port, and when someone connects, it sends them a message from that port's "banner" file. It then records the response. It's essentially my way of emulating various services.
Example of my telnet banner file (fake login prompt):
Logs for telnet:
The last entry is interesting, it turns out that's a default set of credentials for some german TV set top box that runs Linux.
Fake web server (port 80) logs:
Various presumably automated attempts at breaking into badly configured servers. That w00tw00t one is kinda funny though.
Fake web proxy (port 8080) logs:
Alot of chinese users scanning my ip range and attempting to connect through my fake proxy to "Baidu" a chinese search engine. Also a couple attempts at getting access to badly configured web servers (ie GET /manager/html)
Anyways, thought it was kinda interesting and figured you all might like to know the various types of shit going on to boxes exposed to the net.
I made this little script which binds netcat to a port, and when someone connects, it sends them a message from that port's "banner" file. It then records the response. It's essentially my way of emulating various services.
Code:
#!/bin/bash
PORT=$1
i=1
NC=`which nc`
BDIR='/root/banners'
if [ ! -f $BDIR/$PORT.txt ]; then
echo Banner file $PORT.txt not found, creating defaults
echo default >> $BDIR/$PORT.txt
fi
BANNER=`cat $BDIR/$PORT.txt`
while [ $i -lt 10 ];
do
echo "----------------------------------------" >> $BDIR/$PORT.log;
echo -e $BANNER | $NC -l -n -v -p $PORT 1>> $BDIR/$PORT.log 2>> $BDIR/$PORT.log;
echo "Connection attempt on: $PORT at" `date "+%a %b %d %r"`;
echo >> $BDIR/$PORT.log;
echo "Attempted on:" `date "+%a %b %d %r"` >> $BDIR/$PORT.log;
echo "----------------------------------------" >> $BDIR/$PORT.log;
i=$(($i+1))
done
Example of my telnet banner file (fake login prompt):
Code:
Debian GNU/Linux 6 brofist tty1\r\n\r\nbrofist login:
Logs for telnet:
Code:
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [190.128.5.98] 41513
admin
admin
sh
Attempted on: Wed Jul 03 06:42:25 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [65.170.233.196] 4012
root
admin
Attempted on: Wed Jul 03 08:54:29 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [37.113.87.216] 49582
Attempted on: Wed Jul 03 10:45:00 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [86.6.209.222] 42479
Attempted on: Wed Jul 03 10:45:04 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [60.240.111.47] 53608
Attempted on: Wed Jul 03 10:48:01 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [60.240.111.47] 35547
root
root
Attempted on: Wed Jul 03 10:55:06 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [75.92.71.3] 43929
Attempted on: Wed Jul 03 05:45:27 PM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [75.92.71.3] 47477
root
root
Attempted on: Wed Jul 03 05:57:58 PM
connect to [192.168.1.107] from (UNKNOWN) [175.205.156.30] 2848
Attempted on: Mon Jul 08 06:20:06 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [114.253.103.38] 1534
Attempted on: Mon Jul 08 06:22:01 AM
----------------------------------------
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [175.205.156.30] 4865
root
dreambox
Attempted on: Mon Jul 08 06:32:00 AM
----------------------------------------
The last entry is interesting, it turns out that's a default set of credentials for some german TV set top box that runs Linux.
Fake web server (port 80) logs:
Code:
----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [98.210.100.233] 51406
xÕ ºN/YÐ
îH
îë«|
ÛïvyU¨F'Ó@HMuN
ßdÜgRYî7ÕÀ]{!
Attempted on: Mon Jul 08 04:45:20 AM
----------------------------------------
----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 33119
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host:
Connection: Close
Attempted on: Mon Jul 08 08:45:09 AM
----------------------------------------
----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 35641
GET /pma/scripts/setup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host:
Connection: Close
Attempted on: Mon Jul 08 08:45:15 AM
----------------------------------------
----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 36221
GET /MyAdmin/scripts/setup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host:
Connection: Close
Attempted on: Mon Jul 08 08:45:21 AM
----------------------------------------
----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 36347
GET /admin/scripts/setup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host:
Connection: Close
Attempted on: Mon Jul 08 08:45:27 AM
----------------------------------------
Various presumably automated attempts at breaking into badly configured servers. That w00tw00t one is kinda funny though.
Fake web proxy (port 8080) logs:
Code:
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [183.60.48.25] 42384
GET http://www.baidu.com/ HTTP/1.1
Host: www.baidu.com
Accept: */*
Content-Type: text/html
Proxy-Connection: Keep-Alive
Content-length: 0
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [183.60.48.25] 50230
CONNECT tcpconn2.tencent.com:443 HTTP/1.1
Host: tcpconn2.tencent.com:443
Accept: */*
Content-Type: text/html
Proxy-Connection: Keep-Alive
Content-length: 0
Attempted on: Tue Jul 02 10:42:33 AM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [183.60.48.25] 43704
CONNECT tcpconn2.tencent.com:443 HTTP/1.1
Host: tcpconn2.tencent.com:443
Accept: */*
Content-Type: text/html
Proxy-Connection: Keep-Alive
Content-length: 0
Attempted on: Tue Jul 02 03:17:53 PM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [60.173.11.153] 2418
GET /manager/html HTTP/1.1
Content-Type: text/html
Host:
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og==
Attempted on: Tue Jul 02 07:02:05 PM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [60.173.11.153] 1994
GET /manager/html HTTP/1.1
Content-Type: text/html
Host:
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og==
Attempted on: Tue Jul 02 07:04:17 PM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [60.173.11.153] 1800
GET /manager/html HTTP/1.1
Content-Type: text/html
Host:
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og=
Attempted on: Tue Jul 02 07:09:36 PM
----------------------------------------
Alot of chinese users scanning my ip range and attempting to connect through my fake proxy to "Baidu" a chinese search engine. Also a couple attempts at getting access to badly configured web servers (ie GET /manager/html)
Anyways, thought it was kinda interesting and figured you all might like to know the various types of shit going on to boxes exposed to the net.