[ale] Honeypots

Transam bob at verysecurelinux.com
Wed Apr 23 00:34:06 EDT 2003


On Tue, Apr 22, 2003 at 11:34:33PM -0400, Michael H. Warfield wrote:
> On Tue, Apr 22, 2003 at 08:28:26PM -0700, tom hawks wrote:
> > Have you ever caught anyone trying to hack into one of
> > your honeypots? 

> 	Snicker...  Chuckle...

> 	Would you like some ftp server user names and passwords in
> Romania (no, they weren't too bright)...

> 	Let's see, what time is it...  Nope, not in the last few hours...

> 	God...  It's like stomping cockroaches...  But a lot more fun.

> 	Got annoying for a bit when some started combining the ptrace local
> elevation to root with the Apache mod-ssl exploit.  Well, annoying, yes.
> But I got some nice new root-kits for the effort of flushing them off
> the honeypot.  >/;->=>  Vservers running on top of a hardend kernel
> solved that problem and let me collect rootkits without actually getting
> the core engine rooted.  Bonus!

That ptrace() vulnerability is NASTY!  I wrote a no_ptrace kernel
loadable module that turns off a system's ptrace() call to install
in some of my remote firewalls where a botched kernel upgrade would
require a few hundred miles of travel to correct.  It's tempting to
have it also block fchdir(), mknod(), and similar calls that crackers
use to elevate privileges.

> > tom

> 	Mike
> -- 
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list