Honeypots mailing list archives
Re: Honeynet Project Security Advisory 2004-001: Sebek
From: Edward Balas <ebalas () iu edu>
Date: Fri, 23 Jan 2004 15:21:11 -0500 (EST)
On Fri, 23 Jan 2004, John Washington wrote:
On Jan 22 at 2:02 pm, Edward Balas handed me the following bytes:Solutions: ========== In the immediate term, a revised sbk_install.sh script has been added to the sebek-linux-2.1.4 code. This installer first changes the name of the kernel module, then it then modifies the module loading process to reduce the number of symbols that are left floating in memory. This short term fix will cause sebek_rape to fail , however one should always follow best practices. - "-y" flag has been added to the insmod command, this prevents the definition of ksymoops symbols for Sebek, which with then cause sebek_rape to fail. - a few code changes have been added to make it a little bit harder extract the config. This patched version is available at: http://www.honeynet.org/tools/sebek 16708ad30e2caf8431735439fcb60fd5 sebek-linux-2.1.5.tgz In the short term, a new version of the Linux client will be available, that will make it more difficult to detect and extract the configuration from memory.Wouldn't it also make sense to do something along the lines of using known (non-conflicting) module names (determined at setup for the honeypot) that would appear innocous on the honeypot? Obviously this can be applied to other things that are common.
The 2.1.5 client changes the name of the module to a random value or it can be sent in the config section of the sbk_install script to something that is desired, this is based on a new variable called MODULE_NAME. I leave it up to operator to select a known but non conflicting name for now. Related to this, the names of the parameters passed during the insmod are now randomly selected at build time.
As a sidenote, the reason I would choose (random) valid names is to lower the probability of just looing for a string that doesn't fit/isn't known.
Yeah grepping though /proc/kcore can be quite effective. Edward
Current thread:
- Honeynet Project Security Advisory 2004-001: Sebek Edward Balas (Jan 22)
- Re: Honeynet Project Security Advisory 2004-001: Sebek John Washington (Jan 23)
- Re: Honeynet Project Security Advisory 2004-001: Sebek Edward Balas (Jan 23)
- <Possible follow-ups>
- Re: Honeynet Project Security Advisory 2004-001: Sebek Ryan Barnett (Jan 22)
- Re: Honeynet Project Security Advisory 2004-001: Sebek John Washington (Jan 23)