On Wed, Jan 23, 2008 at 06:27:33PM -0800, James G. Sack (jim) wrote:
So, a "fake shell prompt" is maybe a little like a honeypot, except that commands get logged but not executed?
Depends on how much I want to find out. Most likely, it is something being scripted on their end, so I could see what it does, and start coding up stuff that looked more an more like what it was looking for. It is probably looking for programs with known root exploits.
If so, how would you go about doing that?
Hmm. Well, it'd be running inside of a VM, just so I could blow it all away when I was done. I'd build ssh from source, and start by logging the passwords they were trying. Then I'd hack the ssh run accept their logins, but have it invoke my special shell instead of a normal shell. It would print a shell prompt, but then just log. Depending on how ambitious I got, I could parse their commands and start faking those programs as well. Then do reading to see if I could find out about the explots, and make sure that my real machines were current enough. Dave -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
