begin quoting David Brown as of Wed, Jan 23, 2008 at 09:13:41PM -0800: > On Wed, Jan 23, 2008 at 06:27:33PM -0800, James G. Sack (jim) wrote: > > >So, a "fake shell prompt" is maybe a little like a honeypot, except that > >commands get logged but not executed? > > Depends on how much I want to find out. Most likely, it is something being > scripted on their end, so I could see what it does, and start coding up > stuff that looked more an more like what it was looking for. It is > probably looking for programs with known root exploits. > > >If so, how would you go about doing that? > > Hmm. Well, it'd be running inside of a VM, just so I could blow it all > away when I was done. > > I'd build ssh from source, and start by logging the passwords they were > trying. Then I'd hack the ssh run accept their logins, but have it invoke > my special shell instead of a normal shell. It would print a shell prompt, > but then just log. Depending on how ambitious I got, I could parse their > commands and start faking those programs as well. Then do reading to see > if I could find out about the explots, and make sure that my real machines > were current enough.
That would be a nifty standard ssh feature. "On Wrong Password, Run Program $X." Even if $X was "tar tf - /usr/src/kernel*", it still might be amusing. -- Anyone want a /usr/local/bin/honeypot As a standard shell for users forgot? Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
