[ale] Honeypots
Transam
bob at verysecurelinux.com
Wed Apr 23 00:34:06 EDT 2003
On Tue, Apr 22, 2003 at 11:34:33PM -0400, Michael H. Warfield wrote:
> On Tue, Apr 22, 2003 at 08:28:26PM -0700, tom hawks wrote:
> > Have you ever caught anyone trying to hack into one of
> > your honeypots?
> Snicker... Chuckle...
> Would you like some ftp server user names and passwords in
> Romania (no, they weren't too bright)...
> Let's see, what time is it... Nope, not in the last few hours...
> God... It's like stomping cockroaches... But a lot more fun.
> Got annoying for a bit when some started combining the ptrace local
> elevation to root with the Apache mod-ssl exploit. Well, annoying, yes.
> But I got some nice new root-kits for the effort of flushing them off
> the honeypot. >/;->=> Vservers running on top of a hardend kernel
> solved that problem and let me collect rootkits without actually getting
> the core engine rooted. Bonus!
That ptrace() vulnerability is NASTY! I wrote a no_ptrace kernel
loadable module that turns off a system's ptrace() call to install
in some of my remote firewalls where a botched kernel upgrade would
require a few hundred miles of travel to correct. It's tempting to
have it also block fchdir(), mknod(), and similar calls that crackers
use to elevate privileges.
> > tom
> Mike
> --
> Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list