Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've searched a good bit on the topic, and tried compiling vlogger (2.1.1 i think) however I have not had much luck.
I have a vmware honeypot set up and would like to avoid using user-mode-linux on top of that if possible. I have not been able to find a clear-cut linux kernel based keylogger which works (aside from mentions of prepackaged rootkits and related). vlogger has many errors when compiling on a 2.4. kernel (does compile the control program however crashes when compiling the actual keylogger)....and when compiling on the 2.6.x series, even more errors are had.
I dont really 'program' aside from when I need to so 'diving right in' to using kernel hooks and kernel input buffers to make my own for this purpose would take a while.
I've searched a good bit on the topic
Just curious what you found then.
I have a vmware honeypot
You know Vmware can be detected? And you don't need to be root for it.
I have not been able to find a clear-cut linux kernel based keylogger which works (aside from mentions of prepackaged rootkits and related).
You got a job to be done, so whats wrong with rootkits if that would work? Anyway, tried Sebek?
vlogger (..) however crashes when compiling the actual keylogger
Did you drop a question about that in the Programming forum? Might help..
2) yes, i am aware of the ease it takes to identify vmware regarding looking at the devices, *especially*in regards to vga. however vmware is at least legitimtate software. However if there are other ways you're aware of of detecting a virtual instance, please share. i'm not oppsed to slapping togethor an old PII, just lazy I suppose.
No, I have no opposition to rootkits, they would even be preferable and convenient in this instance, they are just soemwhat foreign territory to me as far as what ones exist and such. Sebek's info looks very promising.
3) If Sebek falls through, I'll take the programming forum advice; just thought I'd see if i could grab some quick and dirty comments here.
However if there are other ways you're aware of of detecting a virtual instance, please share.
VMware specific: BIOS values, magic number/segfault check, VMware backdoor (legitimate), IDT address, execution timing, dmesg, IP ID's, VMware's MAC address vendor range, TCP stack errors. General: execution timing (vs clean system), looking for shaping/limiting, payload changes. For me the most important thing to realise is that honeypots are (quoting Corey) "a modification to the structure of the system that can and will be found". Articles and discussions on various mailinglists are easy to find at either SecurityFocus, MARC or Phrack, but here's some docs:
- Phrack phake, p62-0x07: Local Honeypot Identification (txt)
- Phrack phake, p63-0x09: Advanced Honey Pot Identification And Exploitation (txt)
- CCC, Nosebreak: Attacking Honeynets (pdf)
- USMA, 2005 IEEE: Detecting Honeypots and other suspicious environments (pdf)
- VMware's back
- SecurityFocus.com, 4tphi: Detecting VMWare
- SecurityFocus.com, Defeating Honeypots: System Issues, Part 1 and Part 2, also note the "Network issues" and other docs in the reference table at the bottom)
BTW, changing all Makefile maligns to faligns was all I needed to do, so what exactly where those errors compiling Vlogger?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.