Honeypots mailing list archives
Another sebek question
From: Rock Lobster <rocklobster () cheerful com>
Date: 18 Jun 2003 12:25:27 -0000
Hi folks, I seutp my 1st gen2 honeypot lastweek. It got hacked in under 24hrs and now I'm gleefully examining the logs! I'm not sure sebek worked as expected though? I did run a test at the honeypot consol before I left it over the weekend and it seemed to work fine. But the logs I'm looking at now are telling a slightly different story? I setup an eth1 on the honeypot for sebek transport, then setup another eth on my bridge box which I iptabled to drop everything other than udp on the relevant port. Now from looking at the logs I'm looking at these types of entries. 1054955404:2539:0:awk:0::c:2:# 1054955404:2539:0:awk:0::c:2:# 1054955404:2539:0:awk:0::c:2:# 1054955404:2539:0:awk:0::c:2: 1054955404:2539:0:awk:0::c:2:F 1054955404:2539:0:awk:0::c:2:i 1054955404:2539:0:awk:0::c:2:l 1054955404:2539:0:awk:0::c:2:i 1054955404:2539:0:awk:0::c:2:# 1054955404:2539:0:awk:0::c:2:# 1054955404:2539:0:awk:0::c:2:# 1054955404:2539:0:awk:0::c:2: 1054955404:2539:0:awk:0::c:2:W 1054955404:2539:0:awk:0::c:2:a 1054955404:2539:0:awk:0::c:2:r 1054955404:2539:0:awk:0::c:2:n 1054955404:2539:0:awk:0::c:2:i 1054955404:2539:0:awk:0::c:2:n 1054955404:2539:0:awk:0::c:2:g Not to mention, plenty of source code (sshd patch) aswell as what generally seems to be stdout output, as oppossed to the keystrokes of the cracker. Another thing that I had issues with was, whenever I loaded sebek on the honeypot and rebooted the box it wouldnt work for me (RH 7.1). I'm not sure why that was? If anyone wants the full sebek log please do email me, its about 400k uncompressed (of course I'll compress it for you :) Thanks, J.
Current thread:
- Another sebek question Rock Lobster (Jun 18)