**all of this assumes your not running on a home network. if you are running on a home network, then you probably will want to setup your router to forward those ports to your host machine. or setup the vmware comp as part of your home network, but that might be dangerous if your network boxes are not 100% secure. be sure to setup some outgoing port restrictions on the honeypot.
Setup a dmz
Change the domain/workgroup name of the parent pc,different from the rest of your network; and since you got rid of the ms client/file printing, you cant access any network resources, granted their all the same workgroup/doman. (even if you had left the client/ms-f$p installed)
Setup a firewall on the parent as well.
Dont forget to fwd both tcp/udp ports. and! make your vmware pc ip 10.10.10.10/etc.
Now; This is where iI ran into a problem.
I have the tcp:135 port open, STILL! i did everything on that first page, but its not working..
anyideas? Fwd'd Ports. TCP:135;137;80;3127;3138;44334;21;445;4899;6129;81;443 UDP:445;443344 Missing any? ---- Anwsered my own question at: http://security.symantec.com/sscv6/sc_scan.asp
Jeeve5
Jan 29 2004, 09:59 AM
A good idea is trying to hack your own honeypot to see if it setup right. That is best way to check. Just get X-Scan or any other lame scanning tool and see if you can get in.
MrRobot
Jan 30 2004, 02:13 PM
Well, after reading up on vmware and its connections schemes , a bridge connection is the safest, in my case, running behind a router with a cable connection. So the vmware host has its own ip, assigned from the router, instead of using the host ip. So this host pc cant be hit at all, just the guest os can be :touched:
sybexs
Jan 30 2004, 05:16 PM
yea but by you diableing all your ports on the host machine and if your running a firewall on the host and just allow traffic on the ports you closed. the host machine will be fine. the host machine will just act as a router and deflect the attacks and scans to the vmhost.
boorob
Jan 30 2004, 07:44 PM
i got 2000+
peter_BB
Jan 31 2004, 10:47 AM
well what can i say , very nice post dude was interesting to read
oYost
Jan 31 2004, 01:32 PM
Hehe, I don't understand why keep 3000 bots ^^, its dangerous and not very useful but I know a channel on which the owner give range to scan to his bots with irc commands (as the admin says), do you know what is this bot ?
Sorry for my Verrrry bad english
ara2
Jan 31 2004, 02:26 PM
QUOTE
know a channel on which the owner give range to scan to his bots with irc commands (as the admin says), do you know what is this bot ?
The most used drone bots are sdbots afaik. theres also a lot of mirc based bots, which are always funny because you can read the source.
QUOTE
i got 2000+
ddos bots? if you do deal with those things, the only advice i can give you is to keep it on the down low.
QUOTE
More tools though should had been used for better results.
any suggestions?
oYost
Jan 31 2004, 02:35 PM
Sdbot can scan ranges if u ask him ? I think about a bot which is a ipc scanner
ara2
Jan 31 2004, 02:49 PM
The default sdbot doesnt scan, but theres a lot of modules for sdbot...
oYost
Jan 31 2004, 02:54 PM
The probleme is that sdbot is detect by AV :/, i think there is another made specially for ipcscan ? isnt it ?
agentmimi
Jan 31 2004, 07:39 PM
there is a new type of sdbot which has a dcom scanner in it, but i think it is still private right now..
probably borrowed idea from agobot...
agobot has dcom, netbios, webdav, workstation scanners...
xzibit
Jan 31 2004, 11:30 PM
agobot was a good bot i was on the dev team known as [X]ziBiT... too bad ago quit the project ;/
extreme
Mar 8 2004, 10:03 PM
When I go to Wmvare.com I see various VM programs listed for download.. Which one should I download for this honeypot setup purpose?
Frenkovic
Mar 9 2004, 01:35 AM
didn't know that!
thx for the post
FakoLy
Mar 9 2004, 11:20 AM
yep interesting post i was wondering that u get scaned within 5 hours ^^ thanx for this little thread i read this with pleasure ++
toost
Mar 9 2004, 12:04 PM
Whow nicely written report man. Luve to read this kind of setup's
Killaloop
Mar 9 2004, 12:25 PM
very nice article. it looks like this guy was really stupid. he even used his own webspace too send his hacktools to the bots.... "http://www3.sympatico.ca/p_o_grom/ is a french website with different hacking tools and links o_O gets interesting"
nice link ^^ well see what happens to stupid script kidds who use code of other people not knowing what they do this scriptkid is out of order I guess.
Silent Bob
Mar 9 2004, 03:38 PM
lmao this guy is deep shit...
when you go to "hxtp://www3.sympatico.ca/p_o_grom"
it redirects you to htxp://www.cybercrime.gov/
if im right?
phaeton
Mar 9 2004, 08:11 PM
I think he may have done that himself. Afaik FBI has no jurisdiction in Canada
extreme
Mar 14 2004, 09:30 PM
What tool do you use and how do you get on what mirc channel is bot connecting too? keys and all...
m1k3
Mar 14 2004, 09:49 PM
QUOTE
I used to be extremely active and the most I ever personally saw was still under 30K. I find this 300,000 number very hard to believe, cause rm's will buy bots and cards at a buck per. And if so, this guy would have cashed in long, long, before. But you have to know how to find them, so maybe this guy is only using them for filesharing bots on IRC.
Ive seen 100,000. And um people pay for bots ? what ? lol? $1 each hmmm
mike
Mar 15 2004, 02:58 AM
god damn script kiddies suck. anyone who is in a .edu gets rooted within a day at most. script kiddies should die for consuming so much bandwidth for their "warez" activities
=k3Rn=
Mar 15 2004, 10:35 AM
QUOTE
anyone who is in a .edu gets rooted within a day at most
what do you mean with that?
FuzZyBeeR
Mar 15 2004, 10:38 AM
This is very interesting. Thanx!
cougar
Mar 15 2004, 12:27 PM
great article
Steffan
Mar 15 2004, 01:19 PM
Nice read !!
Which Honeypot U used ???
THX. Steven...
JohnAcres
Mar 20 2004, 09:05 PM
haha i liked that conclusion in the end... pretty crazy that u were scanned in 5 hours... also 5 edus joining while u were there seems like the guys got his stuff organized and spreading pretty far
xzibit
Mar 21 2004, 03:28 AM
QUOTE (=k3Rn= @ Mar 15 2004, 10:35 AM)
QUOTE
anyone who is in a .edu gets rooted within a day at most
what do you mean with that?
edus are pretty sought after..... so many vulnerable hosts on fat pipes ;x
A2
Mar 21 2004, 06:18 PM
QUOTE (m1k3 @ Mar 14 2004, 09:49 PM)
Ive seen 100,000. And um people pay for bots ? what ? lol? $1 each hmmm
yes, people pay good money for bots. where do you think spam comes from
aapje
Mar 21 2004, 06:32 PM
Hi, i let a computer open and i noticed this port was open
5000 UPnP / filmaker.com / Socket de Troie (Windows Trojan)
what is it?
usch
Mar 21 2004, 07:01 PM
as already explained there.it is a trojan horse.get fport to see which process opens that port,then kill it and delete it
regards
extreme
Mar 21 2004, 07:30 PM
lol, bots are not used for spamming.. Code would be too anoying to make.. Because you would have to synchronise all you bots with one mailing list, and that is not easy job.. So I don't think bots are used for that. And I know what RM how someone here calls it, is using large botnets for, and I can tell you, it is not for spamming. And warez guys buy bots for 500$ per 10k bots.. That is checked information... @aapje It is not a trojan you have.. It is just UnPlugAndPlay service most WinXP computers have turned on by default... You are safe.. If you wanna, you disable it in Services.
tweakz20
Mar 21 2004, 09:48 PM
500$!!??... whooaa... i think i'm gonna change my career path...
that was a very smart admin, very very interesting test.... i wish it would of been a more elite hacker and maybe from this board.. lol... it would of made an even better story
ILX
Mar 21 2004, 11:44 PM
who pays for bots ? imma gonna quit my job
xzibit
Mar 22 2004, 02:16 AM
ive had people offer me $10 each for edu bots. I did not accept his offer... seems to risky to me
guy12
Mar 22 2004, 06:07 PM
is EDU a school server ??? or what??
xzibit
Mar 22 2004, 09:05 PM
QUOTE (guy12 @ Mar 22 2004, 06:07 PM)
is EDU a school server ??? or what??
yes in a matter of speaking... more like a network at a college. They usually have high bandwidth connections because of all the users they have to support
Bubbalo
Mar 27 2004, 05:03 AM
everyone now wants edus in europe, mostly in sweden, because they supposedly all have 100mbit connections
guy12
Mar 27 2004, 12:40 PM
i'm living in germany.
and in my university there is now way to hack remote cause there are only ssh and web services online. and the students which have unpachted win boxes are behind proxies.....
so i wonder how it is possible to "own" so many edu hosts....
please give me a hint
Milka
Mar 27 2004, 03:49 PM
very very very nice read indeed
love these stories
well done
-Arthy-
Mar 31 2004, 04:28 PM
Wow, excellent read! I get excited by reading this
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
if you do deal with those things, the only advice i can give you is to keep it on the down low.
