Re: Does it really take so long to get a bite?

[<ktimm () www2 var-log com>]

Same here. I had a 6.2 box take about three weeks and then it was hit by 
slapper. On the other hand a 7.2 box went down relatively quicky and in 
one case less then 2 hours. The age of an exploit ? 

Kevin 



On Sat, 7 Dec 2002, Chris Reining wrote:

> On Fri, Dec 06, 2002 at 11:52:54AM -0600, marc wrote:
> > We set up a honeynet two weeks ago.  So that its not too simple (didnt
> > want to just capture the first script kiddy), the only vulnerability on it
> > is an old openssh.
> I had an OpenBSD 3.1 honeypot running a vulnerable version of SSH that was compomised in 2 days...
>
> > Watching the logs, the chkrootkit, the ids, the network traffic, etc, show
> > us nothing!  lots and LOTS of scans, mostly for nbname.
> >
> > How long does it take to get a hit?  Previous reading and anecdotes said
> > that some boxes are compromised within 15 mins of being hooked up to the
> > network.
>
> I had a vanilla Redhat 6.2 box that took over 3 weeks to get compromised by an autorooter. I think that the TTL of a 
> honeypot depends entirely on different variables like the ISP (from what I've seen, different ISPs/netblocks get 
> scanned at different frequencies) and the latest and greatest exploit that the kiddies have. For instance, after a 
> major software vulnerability is discovered and an exploit released there will be a sharp increase in scanning for 
> vulnerable systems which will slowly decline over time.
>
> Chris