Results 1 to 7 of 7

Thread: cmd.exe LOL

  1. #1
    Senior Member
    Join Date
    Jul 2001
    Posts
    461

    cmd.exe LOL

    Was looking over our firewall logs today, and on a whim I decided to filter them for cmd.exe and get a rough idea how widespread code red / nimda still are...

    We are still seeing 500 plus hits a day with cmd.exe to our webservers from 15 to 20 unique ip addresses.
    Only a few of those addresses show up on multiple days...

    thought someone might find this interesting.

    IchNiSan

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    You should run a tarpit or honeynet. It actually reduces the bandwidth caused by worm infestations by up to 80%. It's actually really simple to set up and administer. You can also set it up a web page and post your "guests" there. I like that part.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    Well most days I see mstream master and tcp overlap besides all the rest. Actually some moron is running qmail .....

    Trappedagainbyperfectlogic.

  4. #4
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    KorpDeath is right...

    I don't know if this was already posted once...

    http://www.hackbusters.net/ is the homepage of Labrea (tarpit)

    see their logs for yourself... http://www.hackbusters.net/cgi-bin/guests_pt1
    and their viplist http://www.hackbusters.net/cgi-bin/guests_pt2

    the program they offer runs on *nix and winnt...
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted by the_JinX
    KorpDeath is right...

    I don't know if this was already posted once...

    http://www.hackbusters.net/ is the homepage of Labrea (tarpit)

    see their logs for yourself... http://www.hackbusters.net/cgi-bin/guests_pt1
    and their viplist http://www.hackbusters.net/cgi-bin/guests_pt2

    the program they offer runs on *nix and winnt...
    Just to add the the_JinX's comments. It's the best tarpit program I've tested. I could only find two other products and they aren't worth mentioning.

    It's gret for the enterprise to run a tarpit because it also identifies mis-configured services when it tarpits the connection. we found some mis-configured Vital Agents the first hour we ran the 'crapper' (the name of the tarpit box).

    So now we just tell people they are in the crapper if they get tarpitted..
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    I'll have to try that tarpit out.

    I saw it a while back, and actually checked it out on their site, but I just didnt have a chance to do anything about it.

    thanks,

    Ich

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    IchNiSan, did you check any of the ips out to see if they were web sites, or just the result of iis being turned on by default on win2k computers?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •