honeytrap.mwcollect.org
Navigation
Information
OverviewDownload
Details
Compiling
Manpage
Examples
Attacks / Stream DataTreasure Chest
Xen Honeypot SensorsQemu Honeypot Sensors
PE Hunter
We will provide live commit logs here soon. Until then feel free to view the mwcollect.org repository with Trac.
This page contains attacks trapped with honeytrap. Some of the data has been sanitized. Most of the files contain malicious code. If you download and analyze them, be careful!
| Date | File | Port | Description |
|---|---|---|---|
| 2007-02-19 | xmldb_ftp_bo | 2100/tcp | Exploitation attempt of a buffer overflow in XDB FTP UNLOCK command in Oracle 9i. |
| 2007-01-30 | ssl_too_open | 443/tcp | OpenSSL still too open. |
| 2006-12-29 | sql_slammer | 1434/udp | SQL Slammer infection attempt (exploited vulnerability described in CERT advisory CA-2003-04). |
| 2006-12-28 | opaserv_w | 139/tcp | Another variant of the Opasoft worm that spreads via open network shares on Windows machines. |
| 2006-12-12 | opasoft_infect | 139/tcp | A sample of the Opasoft.D worm that exploits weak share level password in old Windows flavors. |
| 2006-12-07 | big_yellow | 2967/tcp | Big Yellow worm exploiting a remote stack overflow in Symantec Remote Management. |
| 2006-11-29 | msgr_spam | 1026/udp | Windows Messenger spam message that tries to trick you into installing an "update". |
| 2006-11-21 | weird_backdoor | 17300/tcp | An IRC bot spreading via a backdoor left behind by a virus from 2001 called Win32.Weird. |
| 2006-11-13 | pnp_exp | 5000/tcp | Exploit for the Microsoft Plug and Play vulnerability (see MS05-039). |
| 2006-11-10 | msdtc_exp | 1025/tcp | Shellcode for the remote code execution vulnerability in the MSDTC (MS05-051). |
| 2006-11-08 | dameware_bo | 6129/tcp | 3 years old stack overflow exploit for a Dameware vulnerability (see this posting). |
| 2006-10-22 | optix_backdoor | 3410/tcp | Attempt to log into a backdoor in the Optix trojan using a built-in leaked master password. |
| 2006-10-08 | grims_ping | 21/tcp | Output from a tool called Grim's Ping that scans for anonymous ftp servers. |
| 2006-10-01 | mydoom_hunter | 3127/tcp | MyDoom Hunter still spreading! (Infos at W32.Doomhunter description). |
| 2006-09-09 | phpmy_worm | 80/tcp | A malware spreading via phpMyAdmin by inserting the binary executable into the database. |
| 2006-09-01 | dipnet_scan | 15118/tcp | Dipnet scan for already infected hosts (details can be found in the analysis by LURHQ). |
| 2006-08-28 | vbs_dload | 4444/tcp | VBS script to download and run a bot executable echoed on a backdoor shell. |
| 2006-08-17 | me_imapd_bo | 143/tcp | Buffer overflow exploit against the LOGIN command in MailEnable Imapd (reported here in 2005). |
| 2006-08-12 | veritas_exp | 6101/tcp | Buffer overflow exploit against Veritas Backup Agent Browser (exploit by Hat-Squad). |
| 2006-08-10 | dirtr_cmd | 80/tcp | A directory traversal cmd.exe access successfully mirrored back to the miscreant. |
| 2006-06-30 | arcserve_bo | 41523/tcp | Exploit for one of those buffer overflow vulnerabilities in BrightStor ARCserve Backup. |
| 2006-05-27 | lsass_exp | 445/tcp | Buffer overflow exploit against Microsoft LSASS (see Microsoft Security Bulletin ms04-011). |
| 2006-05-23 | pop3_bo | 110/tcp | Buffer overflow exploit attacking the POP3 APOP command (could be CVE-2000-0840). |
| 2006-05-23 | mw_ftp_bo | 1023/tcp | Buffer overflow attack against the FTP PORT command, most likely for malware builtin servers. |
| 2006-04-20 | mysql_worm | 3306/tcp | Worm-like MySQL exploit that bruteforces root password and then installs and runs itself. |
| 2006-04-15 | xmlrpc_exp | 80/tcp | Exploit against PHP XMLRPC (see CVE-2005-1921) that installs and runs a file. |
| 2006-03-25 | ascii2pe | 46695/tcp | Batch script that creates a vaild PE executable by printing base64-like strings into a file. |
| 2006-02-07 | asn1_exp | 139/tcp | Remote root exploit for a buffer overflow in NetBios NTLMSSP (MS04-077). |
| 2005-10-29 | cpanel_rstpass | 2082/tcp | Malware download attempt via the cpanel password reset weakness (OSVDB ID 4205). |
| 2005-09-06 | distcc_exp | 3632/tcp | DistCC daemon remote exploit that opens a reverse shell (using this Metasploit exploit). |