One of the methods for detecting low-interaction honeypot

Onhacks.org

Who is invading my system? ", Http://www.bkjia.com/Article/200907/40201.html
I mentioned using Nmap service analysis to find interesting discoveries. The result is as follows:

This is not used for service analysis (purified ):

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:39:13 2009 as: nmap-oN result.sS.txt-v-sS <XXXXXX>

Host <xxxxxx> (aaa. bbb. ccc. ddd) is up (0.092 s latency ).
Interesting ports on <xxxxxx> (aaa. bbb. ccc. ddd ):
Not shown: 550 filtered ports, 434 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open unknown
3372/tcp open msdtc
Read data files from:/usr/local/share/nmap
# Nmap done at Sat Jul 11 00:41:08 2009-1 IP address (1 host up) scanned in 114.52 seconds

Service analysis is used as follows:

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:43:00 2009 as: nmap-oN result.sS.O.sV.txt-O-sV-v-sS <xxxxxx>
Increasing send delay for aaa. bbb. ccc. ddd from 0 to 5 due to 24 out of 79 dropped probes since last increase.
Initiating OS detection (try #1) against <xxxxxx> (aaa. bbb. ccc. ddd)
Retrying OS detection (try #2) against <xxxxxx> (aaa. bbb. ccc. ddd)
Host <xxxxxx> (aaa. bbb. ccc. ddd) is up (0.091 s latency ).
Interesting ports on <xxxxxx> (aaa. bbb. ccc. ddd ):
Not shown: 550 filtered ports, 434 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Nepenthes HoneyTrap fake vulnerable ftpd
22/tcp open ssh OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
25/tcp open smtp?
110/tcp open pop3?
139/tcp open netbios-ssn?
143/tcp open imap?
443/tcp open ssh OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
465/tcp open smtps?
993/tcp open imaps?
995/tcp open pop3s?
1023/tcp open netvenuechat?
1025/tcp open NFS-or-IIS?
2103/tcp open zephyr-clt?
2105/tcp open eklogin?
2107/tcp open unknown
3372/tcp open msdtc?
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi:

...
...

Read data files from:/usr/local/share/nmap
OS and Service detection completed MED. Please report any incorrect results at http://nmap.org/submit.
# Nmap done at Sat Jul 11 00:48:38 2009-1 IP address (1 host up) scanned in 338.94 seconds

Nmap service analysis guesses the version of the service and the services behind it. It places a question mark on these semi-false and semi-authentic services, because the low interactive honeypot is only part of the simulation of real services, that is to say, the basic part without an analogy will be considered as a strange part by Nmap, obviously like it is not. If you see similar analysis, you can probably believe that this is a false, or even a honeypot. This is of course only one of the methods. You can also think about other methods.

Of course, this is not just the Nepenthes method, but it is also effective for others. Next time I will talk about how to detect virtual machines and Honeypot, and how to deal with malicious code that no longer runs on virtual machines.