From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 16:37:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D1E516A4CE for ; Sat, 18 Sep 2004 16:37:56 +0000 (GMT) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2727043D2D for ; Sat, 18 Sep 2004 16:37:56 +0000 (GMT) (envelope-from patpro@patpro.net) Received: from localhost (localhost.patpro.net [127.0.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id B1C067ED; Sat, 18 Sep 2004 18:37:55 +0200 (CEST) Received: from boleskine.patpro.net ([127.0.0.1]) by localhost (boleskine.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69209-02; Sat, 18 Sep 2004 18:37:47 +0200 (CEST) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id 8D4206D8; Sat, 18 Sep 2004 18:37:45 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: References: Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <10CB0925-0991-11D9-AE98-000D93B1A412@patpro.net> Content-Transfer-Encoding: 7bit From: Patrick Proniewski Date: Sat, 18 Sep 2004 18:37:44 +0200 To: brain@winbot.co.uk, Liste FreeBSD-security X-Mailer: Apple Mail (2.619) X-Virus-Scanned: by amavisd-new at patpro.net Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 16:37:56 -0000 On 18 sept. 2004, at 15:05, Craig Edwards wrote: > as ive read this is an attack from some kiddie trying to build a > floodnet. > > records show that most of the compromised boxes are linux machines > which end up having suckit rootkit and an energymech installed on > them, i dont know if the attacker has ever gotten into a freebsd > machine and what they'd do if they did. > > On my machines i have a dummy shell which APPEARS to be a successful > login but just returns weird errors (such a "Segmentation Fault") or > bad data for all commands that are issued, while also logging their > commands. im tempted to put this on the 'test' account and let them in > on this shell to see what is attempted. just to clarify, if i did such > a thing theres no way for them to break out of the shell, right? its a > simple perl script, so if the perl script ends, theyre logged off? > This is what i expect to happen however i don't want to risk it unless > its 100% safe... And just to clarify again all commands that are > issued from this fake shell never reach the REAL os, even "uname" > returns a redhat 7.2 string when the real machine is actually freebsd > 5... > I wouldn't do that if I were you, I think it's more interesting and safe to create a full jailed system, with a honeypot running in this jail (but well, honeypot has to be legal in your country, and that is not the case everywhere) patpro -- je cherche un poste d'admin-sys Mac/UNIX http://patpro.net/cv.php