Re: Does it really take so long to get a bite?

[Chris Reining <creining () packetfu org>]

> As many folks have disscussed, it depends on a variety of variables.
> Two years ago, RH 6.2 would have been hacked in hours.    However,
> folks have moved onto new 'exploit-du-jour', so what was highly 'hackable'
> two years ago may take weeks or even months.  When the OpenSSH exploit
> was released, it was possible for RH 6.2 or even RH 7.2 boxes to last
> longer then an unpatched OpenBSD box.  So, TTL is often based on what
> the favored exploit happens to be at that time.
>
> Also, keep in mind, the harder your honeypot is to break into, the more
> you can learn.  However, the harder it is to break into your honeypot,
> the more value you have to give it.  If the bad guys just want systems,
> they will skip your harden honeypot and go for the easy kill.  All
> depends on the type of clientle you wish to attrack.
I am wondering if hardened honeypots will ever get compromised? Let's
say that I run a honeypot with only one accessible service running. This
service is exploitable by code that's in the public domain, but would
require the attacker to search for it. What are the odds of compromise?
And better yet, let's say this honeypot is on residential internet
service. Does that factor play any role?

Have other honeypotters run a hardened system only to give up months
later after no compromise?
 
> One of the interesting things the Honeynet Project has seen is different
> operating systems attrack different clientle.  Linux hackers tend to be
> a different community then Solaris, OpenBSD, or Window hackers.  We do
> not have enough data to come to any conclusions, but something to keep
> your eyes open for :)

What about Sparc hackers? Do they exist? I ran a Sparcstation honeypot
for awhile and had the odd x86 exploit thrown at it but never
compromised. I have heard stories of Sparc honeypots up for years w/o
being hacked.

Chris