>Date: 18 Jan 95 13:51:12 GMT
>From: Marc Samama <marc @
>Message-Id: <9501180451 .
>To: firewalls @
>Subject: dummy server
>With this current discution on firewall logs going on, I was wondering if
>some people were willing to release exemples of dummy servers, or packet
>suckers they'd be using on their firewall (anonymous posting is welcome
>for those who are paranoid about revealing their sources. :)
Here is a "tar baby" telnet session emulator that I've used when we've
suspected or seen from logs that someone has been trying to telnet into
a particular machine. It is useful for picking up accounts and passwords
that the intruder knows or thinks they know.
It doesn't actually replace in.telnetd, though it uses a modified one.
Instead it replaces the /bin/login program which would normally be invoked.
It appears just like a normal telnet server session, with a banner, prompting
for usernames and passwords (only it never lets you in, and always give the
'Login incorrect' message.
This is fairly SunOS specific (note that it disables normal telnet sessions!) :
1. Copy /usr/etc/in.telnetd to another location (i.e.
/local/etc/in.telnetd is fine).
Use Emacs to find the occurences of the string "/bin/login"
and replace them with the string "/local/foo" (you need to
use Emacs overwrite mode, you'll notice that the two strings
are of the same length).
2. Edit /etc/inetd.conf and change the entry for telnet to
point to the new executable ( ie. /local/etc/in.telnetd ).
Send the pid for inetd a hangup signal ( kill -HUP InetdPID).
3. Put the following C shell script in as the file /local/foo
(make sure to make it executable) :
# Dummy replacement for /bin/login called by telnetd.
# N.B. C shell scripts are considered harmful.
# H. Morrow Long ( Morrow .
set session="`tty` .
echo "$session" " : DATE : " `/bin/date` >>& /local/log
echo "$session" " : ARGS : " $* >>& /local/log
( finger @$argv >>& /local/log.finger & ) >& /dev/null
foreach attempt ( 1 2 3 4 5 )
echo -n 'login: '
if ( "$loginname" == "" ) then
echo -n Password:
echo ' '
echo 'Login incorrect'
echo "$session" " : ATTEMPT #" $attempt " USER = " $loginname " PASS = " $password >>& /local/log
4. Test by telnetting to the host with the modified telnet daemon :
bigbadwolf% telnet tarbaby
Trying 10.0.0.1 ...
Connected to tarbaby.
Escape character is '^]'.
SunOS UNIX (tarbaby)
5. You should be collecting account names and passwords
in the file /local/log (it should probably be made readable
only by root) :
tarbaby : DATE : Wed Jan 18 10:20:41 EST 1995
tarbaby : ARGS : -h bigbadwolf -p
tarbaby : ATTEMPT # 1 USER = blah PASS = halB
tarbaby : ATTEMPT # 2 USER = remus PASS = uncle
tarbaby : ATTEMPT # 3 USER = yuck PASS = kcuY
tarbaby : ATTEMPT # 4 USER = me PASS = iMiM
tarbaby : ATTEMPT # 5 USER = root PASS = TooR
If your machine is able to finger the intruder's machine you may also
find useful information in /local/log.finger (then again you may not).