Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Honeypot article

From: "Ing. Bernardo Lopez" <bloodk () prodigy net mx>
Date: 15 Jan 2003 11:47:07 -0600
In this section:

<snip>
Figure 9 shows us how the attacker covered his tracks after he exploited
my honeypot:
useradd -b /home/local -mov -g 0 -b /home -d /home/local -g 0 -u 0 -o 
local
[blah blah]
Figure 9 shows us how the attacker covered his tracks after he exploited
the honeypot. Lets take a look at what he did after he broke in:
    # He created an local account called local;
    # He created a home directory called /home/local; and,
    # He set his "local" account password to xeocage123. 
</snip> 

the autor forgot to emphasis than the acount (local) has uid&group of
"root", this is very importan, because "local" could sound normal... but
an uid of 0 is very very... notorious

Also is very interesting this:

/home/local/./.cshrc
/home/local/./.login
/home/local/./.mailrc

looks like if the hacker were hidding those files whit ./... like if he
were thinking "the admin was a dork or a system whitout admin"...

Very good doc, i really liked!!!

PS:sorry by my improved english.


El mié, 15-01-2003 a las 11:11, Lance Spitzner escribió:

Security Focus just published a honeypot paper by Toby Miller.
It details the information gathered from a specific honeypot
attack.  I liked this paper, as the author did not sensationalize
any of the information, instead they just focus on the facts.

   http://online.securityfocus.com/infocus/1656

-- 
Lance Spitzner
http://www.tracking-hackers.com
Previous By Date Next
Previous By Thread Next

Current thread: