Honeypots mailing list archives
Re: Honeypot article
From: "Ing. Bernardo Lopez" <bloodk () prodigy net mx>
Date: 15 Jan 2003 11:47:07 -0600
In this section: <snip> Figure 9 shows us how the attacker covered his tracks after he exploited my honeypot: useradd -b /home/local -mov -g 0 -b /home -d /home/local -g 0 -u 0 -o local [blah blah] Figure 9 shows us how the attacker covered his tracks after he exploited the honeypot. Lets take a look at what he did after he broke in: # He created an local account called local; # He created a home directory called /home/local; and, # He set his "local" account password to xeocage123. </snip> the autor forgot to emphasis than the acount (local) has uid&group of "root", this is very importan, because "local" could sound normal... but an uid of 0 is very very... notorious Also is very interesting this: /home/local/./.cshrc /home/local/./.login /home/local/./.mailrc looks like if the hacker were hidding those files whit ./... like if he were thinking "the admin was a dork or a system whitout admin"... Very good doc, i really liked!!! PS:sorry by my improved english. El mié, 15-01-2003 a las 11:11, Lance Spitzner escribió:
Security Focus just published a honeypot paper by Toby Miller. It details the information gathered from a specific honeypot attack. I liked this paper, as the author did not sensationalize any of the information, instead they just focus on the facts. http://online.securityfocus.com/infocus/1656 -- Lance Spitzner http://www.tracking-hackers.com
Current thread:
- Honeypot article Lance Spitzner (Jan 15)
- Re: Honeypot article Ing. Bernardo Lopez (Jan 15)
- Re: Honeypot article R. Anthony Kolstee (Jan 24)
- Re: Honeypot article Jon (Jan 25)
- Complete Honeynet zeal0t (Jan 25)
- Re: Complete Honeynet rewt (Jan 25)
- Re: Complete Honeynet Valdis . Kletnieks (Jan 26)
- <Possible follow-ups>
- RE: Honeypot article Keith Bruss (Jan 15)
- RE: Honeypot article Spikeman (Jan 15)
- RE: Honeypot article Grégoire Welraeds (Jan 15)
- RE: Honeypot article Tom McLaughlin (Jan 16)
- RE: Honeypot article Spikeman (Jan 15)
- Re: Honeypot Article Roland Venter (Jan 15)
(Thread continues...)