Re: Does it really take so long to get a bite?

[Chris Reining <creining () packetfu org>]

On Fri, Dec 06, 2002 at 11:52:54AM -0600, marc wrote:
> We set up a honeynet two weeks ago.  So that its not too simple (didnt
> want to just capture the first script kiddy), the only vulnerability on it
> is an old openssh.
I had an OpenBSD 3.1 honeypot running a vulnerable version of SSH that was compomised in 2 days...

> Watching the logs, the chkrootkit, the ids, the network traffic, etc, show
> us nothing!  lots and LOTS of scans, mostly for nbname.
>
> How long does it take to get a hit?  Previous reading and anecdotes said
> that some boxes are compromised within 15 mins of being hooked up to the
> network.

I had a vanilla Redhat 6.2 box that took over 3 weeks to get compromised by an autorooter. I think that the TTL of a 
honeypot depends entirely on different variables like the ISP (from what I've seen, different ISPs/netblocks get 
scanned at different frequencies) and the latest and greatest exploit that the kiddies have. For instance, after a 
major software vulnerability is discovered and an exploit released there will be a sharp increase in scanning for 
vulnerable systems which will slowly decline over time.

Chris