Honeypots mailing list archives
RE: Honeypot article
From: Grégoire Welraeds <gregoire () welraeds be>
Date: Wed, 15 Jan 2003 12:26:07 +0100 (CET)
Eridex.org story is interesting as it is... exactly the same story than Miller's one. Same account created, same directory, same rights, same password and so on. The date and the author changed. My 0.02 -- Greg On Wed, 15 Jan 2003, Spikeman wrote:
added google search bonus. (search string, xeocage123) http://eridex.org/journal-archive/000035.html http://www.geocities.com/shellmaniac/ ___ /\ \ Freedom is the right to grow, is the right to blossom, /::\ \ /:/\:\ \ _\:\~\:\ \ /\ \:\ \:\__\ Spikeman \:\ \:\ \/__/ http://www.spikeman.net \:\ \:\__\ http://www.computersecuritynow.com \:\/:/ / \::/ / Freedom is the right to be yourself, to be who you \/__/ are, to be who you wanna be, to do what you wanna do. On Wed, 15 Jan 2003, Keith Bruss wrote:This attacker didn't do much to cover his tracks. It looks like he just created an account in the group root. He never made any attempts to remove traces that he was there. Later he connected back to the box via SSH with the 'local' account he just created, posing a problem to the admin of the box because all the data was encrypted. A simple 'unset HISTFILE' would have cleared his history and the admin would have had less information to find out what the attacker did. He should also clean the history file for the user 'root', as this shows the attacker adding the user local in the group uid0 (root). This in itself says a lot about the attacker. The attacker did a lot of things that could have been hidden better such as creating an account on the box, or making your home directory /home/local, or running a process called inetd, or upgrading openssh. Any of these would make most IDS go crazy or most aware admins should have noticed changes like this. Looks like a packet monkey adding boxes to his kaiten (or something similar) ddosnet if you ask me. -=P My $0.02
Current thread:
- Honeypot article Lance Spitzner (Jan 15)
- Re: Honeypot article Ing. Bernardo Lopez (Jan 15)
- Re: Honeypot article R. Anthony Kolstee (Jan 24)
- Re: Honeypot article Jon (Jan 25)
- Complete Honeynet zeal0t (Jan 25)
- Re: Complete Honeynet rewt (Jan 25)
- Re: Complete Honeynet Valdis . Kletnieks (Jan 26)
- <Possible follow-ups>
- RE: Honeypot article Keith Bruss (Jan 15)
- RE: Honeypot article Spikeman (Jan 15)
- RE: Honeypot article Grégoire Welraeds (Jan 15)
- RE: Honeypot article Tom McLaughlin (Jan 16)
- RE: Honeypot article Spikeman (Jan 15)
- Re: Honeypot Article Roland Venter (Jan 15)
- RE: Honeypot article Bosschert, B. (is-ks) (Jan 16)
- RE: Honeypot article Valter Santos (Jan 16)