This is the primary function of honeypot's. People set up system that
are just average, ordinary systems, for the sole purpose of being
compromised. They build special functionalty in so that logs are kept on
a different system, there are keystroke captures running, and other
types of information gather goes on as well. They also do things that
prevent damage to other systems, like reroute outgoing traffic to an
interal network. That way, if someone launches an attack against, say,
www.yahoo.com, they are really sending the traffic to some dummy box and
no damage is done. Lance Spitzner from RootPrompt wrote a great series
of articles called "Know Your Enemy"
(http://rootprompt.org/article.php3?article=159) and a follow-up called
"Building a Honeypot" (http://rootprompt.org/article.php3?article=210)
that discuss in great detail how to track intruders.
Kenny
Michael O'Donnell wrote:
>
> >Well folks if you've ever wondered what might happen
> >if you go online before securing a new installation
> >check this out from my /var/logs/messages...
>
> Cool. How did you discover this slimebag? Would he
> have have remained undetected for longer if he'd
> bothered to delete those entries in /var/logs/messages?
>
> If a slimebag didn't know that I'd discovered him on
> my system after he'd cracked it, I'd think it would
> be interesting (in a way) to allow him to remain
> there so that I (preferably with the knowledge and
> assistance of the appropriate authorities) could gather
> as much information as possible about the slimebag's
> identity and about other systems he'd compromised
> before we dropped a VERY large hammer on him.
>
> However, since the first thing the slimebags do after
> compromising one system is (reportedly) to use it to
> damage other systems, and since I wouldn't want to have
> facilitated any such harm, I would feel obliged to do
> as you have done and just wipe the system immediately
> upon discovery...
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
