Attacks on ssh port
Patrick Proniewski
patpro at patpro.net
Sat Sep 18 09:37:56 PDT 2004
On 18 sept. 2004, at 15:05, Craig Edwards wrote:
> as ive read this is an attack from some kiddie trying to build a
> floodnet.
>
> records show that most of the compromised boxes are linux machines
> which end up having suckit rootkit and an energymech installed on
> them, i dont know if the attacker has ever gotten into a freebsd
> machine and what they'd do if they did.
>
> On my machines i have a dummy shell which APPEARS to be a successful
> login but just returns weird errors (such a "Segmentation Fault") or
> bad data for all commands that are issued, while also logging their
> commands. im tempted to put this on the 'test' account and let them in
> on this shell to see what is attempted. just to clarify, if i did such
> a thing theres no way for them to break out of the shell, right? its a
> simple perl script, so if the perl script ends, theyre logged off?
> This is what i expect to happen however i don't want to risk it unless
> its 100% safe... And just to clarify again all commands that are
> issued from this fake shell never reach the REAL os, even "uname"
> returns a redhat 7.2 string when the real machine is actually freebsd
> 5...
>
I wouldn't do that if I were you, I think it's more interesting and
safe to create a full jailed system, with a honeypot running in this
jail (but well, honeypot has to be legal in your country, and that is
not the case everywhere)
patpro
--
je cherche un poste d'admin-sys Mac/UNIX
http://patpro.net/cv.php
More information about the freebsd-security
mailing list