Security Basics mailing list archives

Re: Hackers in the House

From: intel96 <intel96 () bellsouth net>
Date: Fri, 22 Sep 2006 12:17:49 -0400

Ryan,

You missed all the steps prior to this one:

Step 1 - Our attacker begins his activities by opening up a command shell.

Here are some gaps in your write-up:

Was the honeypot a Windows 2000 web server?
What port did the attacker target? (I am thinking 139/TCP or 445/TCP)
What attack vector gave the attacker admin-level access in the first place?
Why was the tftp downloads unsuccessful?  Were you blocking 69/TCP at
some firewall?
A diagram of your setup with also be helpful with the write-up.

Thanks,
Intel96

Mark Ryan del Moral Talabis wrote:

This is a step by step analysis of an actual "break-in" in one of our
honeypots. The case exemplifies the typical hacker methodology /
behaviour in the first phases of a
compromise.

http://www.philippinehoneynet.org/dataarchive.php?date=2006-07-24

Regards,
Ryan



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Hackers in the House Mark Ryan del Moral Talabis (Sep 21)
- Re: Hackers in the House Manuel Arostegui Ramirez (Sep 21)
- Re: Hackers in the House badz (Sep 21)
- Re: Hackers in the House Alexander Bolante (Sep 21)
  - RE: Hackers in the House Don Parker (Sep 22)
- Re: Hackers in the House intel96 (Sep 22)