Honeypots mailing list archives

RE: Honeypot article

From: Grégoire Welraeds <gregoire () welraeds be>
Date: Wed, 15 Jan 2003 12:26:07 +0100 (CET)


Eridex.org story is interesting as it is... exactly the same story than
Miller's one. Same account created, same directory, same rights, same
password and so on. The date and the author changed.
My 0.02

--
Greg

On Wed, 15 Jan 2003, Spikeman wrote:


added google search bonus. (search string, xeocage123)

http://eridex.org/journal-archive/000035.html
http://www.geocities.com/shellmaniac/



     ___
    /\  \ Freedom is the right to grow, is the right to blossom,
   /::\  \
  /:/\:\  \
 _\:\~\:\  \
/\ \:\ \:\__\                Spikeman
\:\ \:\ \/__/        http://www.spikeman.net
 \:\ \:\__\       http://www.computersecuritynow.com
  \:\/:/  /
   \::/  / Freedom is the right to be yourself, to be who you
    \/__/ are, to be who you wanna be, to do what you wanna do.



On Wed, 15 Jan 2003, Keith Bruss wrote:

This attacker didn't do much to cover his tracks.  It looks like he just
created an account in the group root.  He never made any attempts to remove
traces that he was there.  Later he connected back to the box via SSH with
the 'local' account he just created, posing a problem to the admin of the
box because all the data was encrypted.  A simple 'unset HISTFILE' would
have cleared his history and the admin would have had less information to
find out what the attacker did.  He should also clean the history file for
the user 'root', as this shows the attacker adding the user local in the
group uid0 (root).  This in itself says a lot about the attacker.  The
attacker did a lot of things that could have been hidden better such as
creating an account on the box, or making your home directory /home/local,
or running a process called inetd, or upgrading openssh.  Any of these would
make most IDS go crazy or most aware admins should have noticed changes like
this.

Looks like a packet monkey adding boxes to his kaiten (or something similar)
ddosnet if you ask me.  -=P

My $0.02

Current thread:

Honeypot article Lance Spitzner (Jan 15)
- Re: Honeypot article Ing. Bernardo Lopez (Jan 15)
- Re: Honeypot article R. Anthony Kolstee (Jan 24)
  - Re: Honeypot article Jon (Jan 25)
  - Complete Honeynet zeal0t (Jan 25)
    - Re: Complete Honeynet rewt (Jan 25)
    - Re: Complete Honeynet Valdis . Kletnieks (Jan 26)
- <Possible follow-ups>
- RE: Honeypot article Keith Bruss (Jan 15)
  - RE: Honeypot article Spikeman (Jan 15)
    - RE: Honeypot article Grégoire Welraeds (Jan 15)
    - RE: Honeypot article Tom McLaughlin (Jan 16)
- Re: Honeypot Article Roland Venter (Jan 15)
- RE: Honeypot article Bosschert, B. (is-ks) (Jan 16)
  - RE: Honeypot article Valter Santos (Jan 16)