As far as I know, they are not trying to download your cmd.exe, but rather trying to exploit an unpatched IIS to *run* cmd.exe and give them a shell; I don't know what they'd do if you actually returned some file.exe but it is an interesting idea. It is likely not the response they are hoping for, though, so I think it would not qualify as a tarpit/honeypot/etc, which I find more interesting. For instance, you could stage up some vanilla win2k system -- maybe if you had what looked like installers for expensive programs laying around on it (but were actually one terabyte of 1's, self-extracting) then your plan could work. I would want any trojan .exe to collect some info about where it is running, and maybe try to send out the info to a centralized source.
Fun ideas, however. As far as your logs "filling up with junk", I think that is pretty darn important to log, and you might want to consider either turning off httpd, or else adding some firewall rules to deny most connections if this is a problem for you = ) For instance, I run snort in addition, so for every one of these IIS exploit-attempts, I see the apache log as well as the snort alert log. Handy, IMHO. Regards, Ben On Fri, 21 Nov 2003 00:34:48 -0500 Linux Rocks ! <[EMAIL PROTECTED]> wrote: | .... | you can run host or dig on the IP if you're | ohh.. Im pretty sure they are users from the same ISP. | ..... | | hmmm... interesting.. I like this idea... might be fun :) it got me | thinking of what to send them... I was thinking a file full of 1's in | a self extracting exe would be fun. If their program executes this | file to test it, what might happen if it extracts a file of ohh say a | few terrabytes of 1's ? how small will a compressed file of 1's be ? | | I suppose i could be really malicious and send them a trojan... | | or possibly theres something even more horrific that others might | suggest? | _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
