Re: Does it really take so long to get a bite?

[Brian Hatch <honeypots () ifokr org>]

> I have two honeypots with one ip address away (systems are Win2000
> Server SP3 and Debian 3.0r0), and this make me think about the fake
> contents of the honeypots (i.e. webserver contents) what can attract
> intruders to one or other system. Which contents are more susceptible to
> be hacked? In a campus network, maybe a fake qualification DB Server?

I've found the vanilla "You've installed Red Hat!  Congratulations!"
page always attracts script kiddies.  Makes it look like you don't
even know what software you installed.  Or perhaps it is just neutral,
and the kiddies would have found it regardless.

What I've done in other cases is take an existing website of mine
and mirror it to the honeypot.  Then you modify each page in the
same way to contain something indicating this is the staging or
beta site.  This is a quick way to get lots of content without
doing much work, and makes it seem like the machine does have an
authentic purpose.  It also tends to indicate that somehow this
machine will interact with the real server (be it a push or pull
to 'publish' the data) and that is also appealing.

Although I can't say these have had better success in attracting
folks, the intruders do have more interesting activities when they
get there.

--
Brian Hatch                  "Enthusiasm, sincerity,
   Systems and                genuine compassion, and
   Security Engineer          humor can carry you through
http://www.ifokr.org/bri/     any lack of prior experience
                              with high numerical value."
Every message PGP signed

Attachment: _bin
Description: