Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-24-2001, 10:52 AM
|
#1
|
Member
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82
Rep:
|
Tools to trick hacking attempts?
A few month ago, my Redhat Linux 7.0 got hacked and appeared become hacker's bot, due to early version of named security holes. But I never figured out completely what's been installed, and what kind of files been altered. Later I got upgraded to RH7.1 and hope now its ok. But I still see quite hacking attempts as indicated in /var/log/http/access_log, a couple of examples:
www.mcsi.net - - [19/Jun/2001:06:37:57 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe" 404 -
h24-76-12-17.vw.shawcable.net - - [20/Jun/2001:05:16:27 -0500] "GET /scripts/..%../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe" 404 -
They are probably young kiddies trying to find some fun over the net. I wonder if there are some tools available, so when such hacking attempts been received by server, it will either respond with a false Winnt command prompt, or have a game program opened for the hacker to play. Whatever they attempt to do, there is option to log to a file. And perhaps use their hacking connection to find services or security holes on hacker's source computer. Any suggestions?
|
|
|
06-24-2001, 01:26 PM
|
#2
|
LQ Newbie
Registered: Jun 2001
Location: Sweden
Distribution: RedHat, Slackware
Posts: 2
Rep:
|
Re:
Well, they have tried to use some exploits that can be found in IIS Webservers. (Internet Information Server, in WinNT/2000.
So If you run the webserver in RedHat then you are safe from that bugs.
If you are running Apache then always update to the latest stabile version.
You can hide the Apache version etc for visitors.
Check out the docs at www.apache.org
/ fuzzion
|
|
|
06-24-2001, 01:50 PM
|
#3
|
Member
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82
Original Poster
Rep:
|
My question was where I can find tools, so I can turn such attemps to some decoy directory, where it may appear to be NT to hackers, they'll thought they got into a NT system, using monitoring tools or log to find the intruder's intention or its hacking techniques. Obviously in the last two instance of hacking attempts, hackers were trying to test my system see if they could get a NT command prompt. I'd like to give them the screen, so, they might think they got the administor's cmd prompt. Then I can what' they'll do next. Are there any place to find for such decoys?
thanks.
|
|
|
06-25-2001, 07:31 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
There's a heavy listing of tools at http://www.cerias.purdue.edu/coast/hotlist/ and a shorter one at http://sites.inka.de/lina/freefire-l/tools.html.
Ive forgotten what this name was but there was a tool like FakeBO is for BO where you would fake stuff to intruders but you'll likely find it there.
In general there is no way you will want to set up a live system and want intruders to muck 'n trash it, for their fun.
Better set up a decoy system for looking at/learning from and call it a "Honeypot".
See Spitz's work including the "Know Your Enemies" at http://project.honeynet.org/.
A honeypot is basically a "normal" server put up outside the DMZ perimeter, which you would take down after you got notified it's been hacked, or get nightly images from to study what's been done.
Then, IMHO, there's no way you can fake cmd.exe on a nix box (had some W2K shellscripting to do tonite) and they aren't looking for a shell prompt anyway, the cmd.exe is just there to execute the rest of their exploit with.
Read more on IIS vulnerabilities at http://www.sans.org, http://www.cert.org, http://www.neohapsis.com and http://www.securityfocus.com. Secfocus has some good newsletters/mailinglists as well and neohapsis has some ml's archived. (strange... now why didn't I point to microsoft as well...)
I'm sorry to say but if you haven't got a clue what they are up to, don't burn ure hands. Better invest your time in reading and setting up Snort http://www.snort.org which can notify you for incoming hostilities based on it scanning traffic for certain signatures.
HTH
|
|
|
06-29-2001, 12:32 AM
|
#5
|
Member
Registered: Jun 2001
Location: Allen, Texas, USA
Distribution: Redhat
Posts: 82
Original Poster
Rep:
|
Thank you very much unSpawn for the great links.
I think I have found some which seems attractive:
http://www.all.net/dtk/dtk.html
Btw, you mentioned honeynet.org, I didn't see they have released any programs. Have you seem any?
thanks again.
|
|
|
07-01-2001, 03:36 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Heh, no, honeypot.org doesnt do apps, they just observe, and once in a while you are allowed to break into a honeypot.
they also got a feature called "Scan Of The Month" where you can guess at what tools ppl are using against a host from the signatures, dumps etc.
|
|
|
All times are GMT -5. The time now is 11:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|