Re: Advice Needed On Recent Rootings
On Sun, May 25, 2003 at 02:32:56PM -0400, Noah Meyerhans wrote:
> If you believe he'll be back, it might be worth it to set up a honeypot
> and a box running tcpdump and capturing all the traffic to honeypot.
> Set the honeypot up with the same services you run on your production
> machines, and make sure that no services at all (not even ssh) are
> runnign on the tcpdump system. At least that way, when the box gets
> cracked, you'll be able to see what ports the guy was talking to when he
> broke in. It also might be useful as evidence in case you ever decide
> to try and prosecute him.
Considering that. Actually, I've been looking into a completely cold
machine recording a tcpdump over a serial console. I've also been
looking into how to use some LKM-style tricks (read source mods) to hide
the sniffing process and a userspace solution to hide the promiscuous
mode IF.
> I assume the cracked boxes were running woody? What are the actual
> services running on the various open ports? What versions of the
> packages?
Yeah, I call it stable, but it's the same thing. The nmap lists (from
the outside):
ssh
smtp
domain
www
pop3s
imaps
>From the inside add:
netbios-ssn/netbios-dgm/netbios-ns
imap
pop3
This has been a hit on about seven different machines with vastly
different configurations (some missing everything but SSH) and all
firewalled down to the minimum.
> I don't know of any exploits for the version of OpenSSH included on
> security.debian.org for woody. It would certainly be interesting to
> find out that there is one in the wild!
Indeed. When I find out more I'll send to the list.
Jayson
Reply to: