Security Basics mailing list archives
Re: Hackers in the House
From: intel96 <intel96 () bellsouth net>
Date: Fri, 22 Sep 2006 12:17:49 -0400
Ryan, You missed all the steps prior to this one: Step 1 - Our attacker begins his activities by opening up a command shell. Here are some gaps in your write-up: Was the honeypot a Windows 2000 web server? What port did the attacker target? (I am thinking 139/TCP or 445/TCP) What attack vector gave the attacker admin-level access in the first place? Why was the tftp downloads unsuccessful? Were you blocking 69/TCP at some firewall? A diagram of your setup with also be helpful with the write-up. Thanks, Intel96 Mark Ryan del Moral Talabis wrote:
This is a step by step analysis of an actual "break-in" in one of our honeypots. The case exemplifies the typical hacker methodology / behaviour in the first phases of a compromise. http://www.philippinehoneynet.org/dataarchive.php?date=2006-07-24 Regards, Ryan
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Hackers in the House Mark Ryan del Moral Talabis (Sep 21)
- Re: Hackers in the House Manuel Arostegui Ramirez (Sep 21)
- Re: Hackers in the House badz (Sep 21)
- Re: Hackers in the House Alexander Bolante (Sep 21)
- RE: Hackers in the House Don Parker (Sep 22)
- Re: Hackers in the House intel96 (Sep 22)