On Sun, May 25, 2003 at 02:32:56PM -0400, Noah Meyerhans wrote: > If you believe he'll be back, it might be worth it to set up a honeypot > and a box running tcpdump and capturing all the traffic to honeypot. > Set the honeypot up with the same services you run on your production > machines, and make sure that no services at all (not even ssh) are > runnign on the tcpdump system. At least that way, when the box gets > cracked, you'll be able to see what ports the guy was talking to when he > broke in. It also might be useful as evidence in case you ever decide > to try and prosecute him. Considering that. Actually, I've been looking into a completely cold machine recording a tcpdump over a serial console. I've also been looking into how to use some LKM-style tricks (read source mods) to hide the sniffing process and a userspace solution to hide the promiscuous mode IF. > I assume the cracked boxes were running woody? What are the actual > services running on the various open ports? What versions of the > packages? Yeah, I call it stable, but it's the same thing. The nmap lists (from the outside):
ssh smtp domain www pop3s imaps >From the inside add: netbios-ssn/netbios-dgm/netbios-ns imap pop3 This has been a hit on about seven different machines with vastly different configurations (some missing everything but SSH) and all firewalled down to the minimum. > I don't know of any exploits for the version of OpenSSH included on > security.debian.org for woody. It would certainly be interesting to > find out that there is one in the wild! Indeed. When I find out more I'll send to the list. Jayson
