LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-24-2001, 10:52 AM   #1
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Rep: Reputation: 15
Tools to trick hacking attempts?


A few month ago, my Redhat Linux 7.0 got hacked and appeared become hacker's bot, due to early version of named security holes. But I never figured out completely what's been installed, and what kind of files been altered. Later I got upgraded to RH7.1 and hope now its ok. But I still see quite hacking attempts as indicated in /var/log/http/access_log, a couple of examples:

www.mcsi.net - - [19/Jun/2001:06:37:57 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe" 404 -

h24-76-12-17.vw.shawcable.net - - [20/Jun/2001:05:16:27 -0500] "GET /scripts/..%../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe" 404 -

They are probably young kiddies trying to find some fun over the net. I wonder if there are some tools available, so when such hacking attempts been received by server, it will either respond with a false Winnt command prompt, or have a game program opened for the hacker to play. Whatever they attempt to do, there is option to log to a file. And perhaps use their hacking connection to find services or security holes on hacker's source computer. Any suggestions?
 
Old 06-24-2001, 01:26 PM   #2
fuzzion
LQ Newbie
 
Registered: Jun 2001
Location: Sweden
Distribution: RedHat, Slackware
Posts: 2

Rep: Reputation: 0
Re:

Well, they have tried to use some exploits that can be found in IIS Webservers. (Internet Information Server, in WinNT/2000.

So If you run the webserver in RedHat then you are safe from that bugs.

If you are running Apache then always update to the latest stabile version.

You can hide the Apache version etc for visitors.
Check out the docs at www.apache.org

/ fuzzion
 
Old 06-24-2001, 01:50 PM   #3
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
My question was where I can find tools, so I can turn such attemps to some decoy directory, where it may appear to be NT to hackers, they'll thought they got into a NT system, using monitoring tools or log to find the intruder's intention or its hacking techniques. Obviously in the last two instance of hacking attempts, hackers were trying to test my system see if they could get a NT command prompt. I'd like to give them the screen, so, they might think they got the administor's cmd prompt. Then I can what' they'll do next. Are there any place to find for such decoys?
thanks.
 
Old 06-25-2001, 07:31 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
There's a heavy listing of tools at http://www.cerias.purdue.edu/coast/hotlist/ and a shorter one at http://sites.inka.de/lina/freefire-l/tools.html.
Ive forgotten what this name was but there was a tool like FakeBO is for BO where you would fake stuff to intruders but you'll likely find it there.

In general there is no way you will want to set up a live system and want intruders to muck 'n trash it, for their fun.
Better set up a decoy system for looking at/learning from and call it a "Honeypot".
See Spitz's work including the "Know Your Enemies" at http://project.honeynet.org/.
A honeypot is basically a "normal" server put up outside the DMZ perimeter, which you would take down after you got notified it's been hacked, or get nightly images from to study what's been done.

Then, IMHO, there's no way you can fake cmd.exe on a nix box (had some W2K shellscripting to do tonite) and they aren't looking for a shell prompt anyway, the cmd.exe is just there to execute the rest of their exploit with.
Read more on IIS vulnerabilities at http://www.sans.org, http://www.cert.org, http://www.neohapsis.com and http://www.securityfocus.com. Secfocus has some good newsletters/mailinglists as well and neohapsis has some ml's archived. (strange... now why didn't I point to microsoft as well...)

I'm sorry to say but if you haven't got a clue what they are up to, don't burn ure hands. Better invest your time in reading and setting up Snort http://www.snort.org which can notify you for incoming hostilities based on it scanning traffic for certain signatures.

HTH
 
Old 06-29-2001, 12:32 AM   #5
LionKing
Member
 
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82

Original Poster
Rep: Reputation: 15
Thank you very much unSpawn for the great links.
I think I have found some which seems attractive:
http://www.all.net/dtk/dtk.html
Btw, you mentioned honeynet.org, I didn't see they have released any programs. Have you seem any?
thanks again.
 
Old 07-01-2001, 03:36 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Heh, no, honeypot.org doesnt do apps, they just observe, and once in a while you are allowed to break into a honeypot.
they also got a feature called "Scan Of The Month" where you can guess at what tools ppl are using against a host from the signatures, dumps etc.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
cdda ripping tools: what tools are good these days? jgombos Linux - Software 3 01-04-2005 12:09 AM
Hacking Exposed Wireless Hacking Chapter prompt Linux - Wireless Networking 0 05-08-2004 03:44 PM
hacking tools Fear58 Linux - Software 4 04-16-2004 03:51 AM
is there any virtual cd tools like deamon tools on linux ? ixogn Linux - Software 1 02-24-2004 11:19 AM
hacking tools ..? rinux Linux - Security 2 09-24-2003 07:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration