Honeypots mailing list archives
Re: How do I make telnet vulnerable to attack?
From: George Bakos <gbakos () ists dartmouth edu>
Date: Tue, 25 Feb 2003 19:28:07 -0500
In your logs, you may see that they have connected to your hpot on port 23, but that is only the first step. Telnet is not the service, but rather the client, that she is now attempting to use to connect to an ircd. The attacker obviously thinks she has gained entry to a network device (switch, router, etc) and is trying to irc out though it. If you are running a low-interaction stack/service emulator, that is the best you are going to do. If, instead, you wish to observe follow-on actions, you will need to assume a bit more risk & put up high-interaction honeypots/honeynets. But be careful, once those outgoing connections succeed, you may become an erzatz partner in illegal or otherwise questionable activities. Cheers. On 25 Feb 2003 20:34:39 -0000 <sae0616 () hotmail com> wrote:
Hello, I recently installed my first honeypot and it sure is fun to watch the attacks roll in. I'm seeing this one attack against telnet that looks like this in the snort log: cisco telnet [ip removed] 6669 #' It looks like some kind of attempt to long in using a default password of 'cisco'? My question is, how can I allow the telnet to happen so that I can see what they are doing?
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos () ists dartmouth edu voice 603-646-0665 fax 603-646-0666 Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
Current thread:
- How do I make telnet vulnerable to attack? sae0616 (Feb 25)
- Re: How do I make telnet vulnerable to attack? George Bakos (Feb 25)