Honeypots mailing list archives
Re: AW: Honey VS Vinegar
From: the rxmr <the.rxmr () gmail com>
Date: 2 Nov 2004 15:49:05 -0000
In-Reply-To: <1099405102.8972.6.camel@JohnnyQuest> "but dont forget to check you hunnypot webserver logs for all those refers from google (thanks Johnny for google hacking)...." I have also tested the Google Hacking Database from the johnny.ihackstuff.com website and noticed that most of results (usually text, no graphics no loading from original website) are also avaliable in the Google cache. Therefore, by using the info from the cache one could avoid an entry in the webserver's logs. Thanks to all those that took the time to read my rather long post. It wasn't quite finished, but since the question was raised, I decided to go ahead and post it. Anyway, it is interesting to read some of the tactics currently being used by others. With regard to the question that someone else asked of "how far shoud we go?", I think it is OK to start off small and gradually work one's way through the different, more complex and time consuming methods. Keep it simple and don't make your efforts obvious. The people we are trying to get a response from can sometimes tell if something is amiss. They can also exhibit self-control and may ignore such provocations therefore allowing them to pick their potential victims for their own reasons. When I first started running a honeypot, I became bored with it after a few months and began thinking of ways to draw in more activity. Sometimes it works, sometimes it doesn't. If such methods are already being used, I understand the reluctance in disclosing them and the results in a public forum. Good luck to you all!
I have been provoking attacks (usally in IRC) for years... when I mentioned this in another security related list a few years ago i got flamed so bad i still feel toasty... I have noticed (using a bit of psycology from the aid of my wife who is a phycologist and closet geek girl) that you can easily tell if you are going to get your basic 13 or 14 yr old script kiddie or someone a bit more skillful... but dont forget to check you hunnypot webserver logs for all those refers from google (thanks Johnny for google hacking).... sorry if it was a rant... but it's my 2 cents worth... On Tue, 2004-11-02 at 05:29, Stephan Riebach wrote:Reading all your posts I wondered if aggressive tactics do really provoke new/interesting attacks. More precisely I wondered how far we should go?! I tested some tactic earlier by installing a P2P client on a honeypot and provoking attacks by "annoying" users. I created random data files with "dd" and converted them to the mp3 format using lame (http://lame.sourceforge.net/). I gave those fake files the names of famous Top20 songs and provided the files with my KazaaLite client. I also provided some real large faked files which I simply renamed as zip or rar archive, e.g. "Windows2000Prof.zip" . The honeypot was online for 6 weeks and many files were downloaded but really no new/unusual/special attack could be detected in this time. Just the well-known port 135 and 445 signatures. I also run a web server on this honeypot and I hoped to increase attacks with this "annoying" tactic. Maybe you can compare this with fishing and my lure was bad or I simply had no luck. :-) Or maybe I proofed that P2P users are harmless and never attack anybody. :-) Cheers! Stephan
Current thread:
- Re: AW: Honey VS Vinegar the rxmr (Nov 02)
- <Possible follow-ups>
- RE: AW: Honey VS Vinegar Polazzo Justin (Nov 03)