Slashdot Mirror

Why not just merge SELinux with Linux?

SELinux is about mandatory access controls and control policy enforcement. See the SELinux FAQ for more info about SE Linux.

Sebek (now version 2) is an kernel level logger. It does not stop users from doing anything. In fact if it did, that would make it useless for its primary job, as a tool for building HoneyNets, an controlled network of systems designed to be compromised by attackers, and the methods (and related) studied by security geeks.

Great point. You can find them here

On behalf of myself and all of the other slashdot idiots, I apologize.

Apology accepted.

Sadly, not everyone is as educated or intelligent as you are.

Sadly, indeed.

Wow, get off yourself buddy. Slashdot is not a mensa meeting.

I think Slashdot could learn quite a lot from Mensa meetings. Unfortunately (or should I say fortunately?) most of the people from Slashdot would never be allowed to enter such a meeting. (By the way, it's Mensa, with capital M. Please show at least some respect, thank you.)

In real life, people smile when someone makes a joke.

In Mensa life (I suppose it's not "real" for you, because of which I can only say, that I'm sorry) we do smile (or even laugh, mind you) when someone makes a good and intelligent joke. (Please notice "good" and "intelligent" keywords.)

Please read the Mensa Constitution and you will see there is nothing about what you are poorly trying to implicate, i.e. that intelligent people cannot have any sense of humor.

btw, could you imagine a beowulf cluster of these?

You mean a virtual honeynet running on VMware, which in turn runs on a beowulf cluster? Actually, due to the virtualization overhead, it would be much smarter to run a standard (i.e. non-virtual) honeynet, if you have many computers to run it on, now wouldn't it?

I've heard about the idea and development of the vimage patch and this is a great news, that it's finally done and fully functional. Some of those ideas are not really new, as anyone who knows OS/390 could tell you, but it's really great they can now be used in FreeBSD systems.

For those of you, who know that I'm involved in building honeynets, it won't be a surprise, that I am really (by which I mean really) looking forward to use those new features in my future honeypots, firewalls and other security-related projects.

Actually, those features seem to be created just exactly to be used for deploying virtual honeynets. Just imagine what you can do with VMware, vimage-FreeBSD and UML all running on the same machine!

Great work, Marko.

I've heard about the idea and development of the vimage patch and this is a great news, that it's finally done and fully functional. Some of those ideas are not really new, as anyone who knows OS/390 could tell you, but it's really great they can now be used in FreeBSD systems.

For those of you, who know that I'm involved in building honeynets, it won't be a surprise, that I am really (by which I mean really) looking forward to use those new features in my future honeypots, firewalls and other security-related projects.

Actually, those features seem to be created just exactly to be used for deploying virtual honeynets. Just imagine what you can do with VMware, vimage-FreeBSD and UML all running on the same machine!

Great work, Marko.

First off, computer security is much like many other forms of security, at the concept level. The particulars of implementation are very different, but the underlying motives of the players and the interactions aren't. The infamous 419 scam was originally done in person, then by phone, and then by fax before it was possible to do it via email, for example, and lesser variants of it (the pigeon scam, for example) have existed in the offline world.

If you're looking to grasp home user or end user security, the first thing I'd do is buy The Gift of Fear by Gavin de Becker. Right off, that will give you a good understanding of intuitive threat modeling for everyday life. Unfortunately, I can't find a book out there that does home-user security for the average joe, nor can I find a class...but I am writing a book myself.

If you're interested in security from a more admin-oriented perspective, I would go to SecurityFocus and check out some of their mailing lists. At first, the material may be over your head, but you'll find that that only pulls you up a bit. Also, get yourself a linux box and learn linux (if you don't already know it). Set up a honeynet and see what's going to happen to an unpatched, exposed box. Or just set up snort with ACID as the front-end console to observe the attacks that are taking place. Once you understand the threat, it becomes a lot easier to decide what to study to defend against it.

Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project

Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap

Follow articles/join mailing lists at:

CERT
Securityfocus

Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.

Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.

Those who love UNIX (and UNIX-inspired operating systems) will surely adore Linux Server Hacks by Rob Flickenger. For decades, a mysterious sect of bearded wizards has dominated the inner sanctums of our network infrastructures, inspiring the awe of onlookers by crafting clever scripts and piping output in ingenious ways most of us never even thought of. This small but marvelous book attempts to steer apprentice wizards in the noble direction of clever system administration, with examples taken from experience in O'Reilly's own LAMP networks.

The book begins with a refreshing introduction (by esr) detailing what it means to be a hacker. No, not the hax0ring w4r3z d00dz of frequent media attention, but the aforementioned bearded variety who spend most of their waking effort forging uncommon techniques for solving otherwise dull problems. Kudos to Mr. Flickenger (and O'Reilly) for not only acknowledging the difference, but celebrating it.

As the title would indicate, the audience of this book is the administrator in charge of a server--that is, a Linux box performing only a couple of dedicated tasks, probably of a network-oriented nature. Although Linux enthusiasts from the desktop realm are not part of the intended audience, they will almost certainly pick up a thing or two from the material anyway.

The book is organized into the following sections:

• Sever Basics is a variety of general purpose tips that don't fit into the other major categories. Some of the more interesting items include:
  • Persistent daemons with init
  • Building complex command lines
  • Using xargs with tricky arguments
  • Effectively using sudo
  • Makefiles for automating administrative tasks

  I think the real magic of this chapter isn't necessarily the tips themselves, but the creative process behind them; the author is demonstrating a methodology for dealing with common problems by introducing clever solutions. This will ideally inspire the reader to deal with other problems in the same creative manner.

• Revision Control. Servers with multiple administrators may benefit from using a revision control system to handle changes to configuration files. This section illustrates using RCS, with examples of checking config files in and out of the system. This provides a segway into using CVS for controlling revision of large software projects.
• Backups becoming a nuisance? Approach them from a new angle by implementing some of the tips from this chapter. Examples including automated incremental backups over tar, rsync, and ssh; archiving with pax; and even some very creative (if not a little scary) ideas like piping your backups over ssh directly into cdrecord. The UNIX philosophy is illustrated well: simple tools working well together as an efficient solution.
• The Networking chapter covers material that is no doubt already familiar to security-conscious Linux users. However, iptables newbies (or those transitioning from ipf or pf) will appreciate the netfilter primer and discussion of masquerading (NAT) and TCP port forwarding. Some tunneling and encapsulation techniques are also detailed here.
• Monitoring details the use of syslog, and a great deal more. Networking aspects are given ample attention, without any redundant information in respect to the previous chapter. Some simple tips are given (like using lsof to track down elusive processes) as well as more advanced ideas (like a short shell script to perform an IP fail-over.)
• SSH tips: are you still tapping out a password every time you hop to a new machine? If you administrate more than a few, this can be distracting and tedious. This chapter illustra

Could be a duplicate post (I didn't look at the others hard) but here is a direct link for setting up honeypots with VMWare.

Know Your Enemy: Learning with VMware

Many thanks to the Honeynet team for such a great site!

Of course honeypots can also be used to learn what hackers do. The Honeynet Project is a great place to go to learn how to set one up securely so it can't be used to attack other people.

In fact, today a new version of honeyd was released:

As many of you already know, Honeyd is an OpenSource honeypot designed for the Unix platform. It has many featues, including the ability to monitor millions of IP addresses, detect activity on any UDP or TCP port, OS emulation at the user and kernel level, create virtual networks, and so on.

Marcus Ranum and I are big fans of Honeyd. To make it easier for people to work with and understand this technology, we took all the necessary ingrediants together and 'cooked' them up for you, creating the Linux Honeyd Toolkit. This toolkit is a ready to go distribution of Honeyd, with statically precompiled binaries, configuration files, and startup scripts. The idea being you just update the honeyd.conf file to what you want your honeypot to look like and let her rip.

After the machine is hacked in 15 minutes, management and all coworkers will give you at most 24 hours to make the server productive and safe. After this longest day, you will have learned the essentials of Unix Administration.

Most people end up making this a free speech thing, all spammers do is a little e-mailing, that granted we don't want, but that's it. This is not the case, many spammers are involved in hacking. Using this to anonymize themselves and harvest more victims. Check out the Honeynet Project's SOTM 22 here. The attacker was a spammer who was using a compromised system to run an e-mail harvester that targeted ICQ users.

OK, please do not regard this as bashing. It's just the correct answer to anyone with this problem - if you don't like it, the problem is not in the answer.

NETBIOS CANNOT BE SECURED. If you leave your netbios ports open, you can be cracked to such a degree that it will be impossible for anyone other than a forensic analyst (who will boot from a linux or BSD boot disk) to detect. Netbios is only a viable solution on TRUSTED networks, which the Internet isn't, by definition.

YOU ARE PROBABLY OWNED. Your machine is most likely already completely compromised, and is happily working on cracking RC5 ciphers for somebody you've never met. See the honeynet project for more information (incidentally, one of the founders of honeynet reportedly got cracked by el8; everybody can make mistakes).

YOUR BEST OPTION IS TO FORMAT YOUR HARD DRIVE. The fastest, most reliable way to remove any possibility of a problem is to reload your system from a read-only media - i.e. your windows distribution disk. You must scrub the hard drive first, though; there are programs that can survive windows reinstallation unless this step is taken. You must also disconnect your Internet connection until you have a firewall running, to be absolutely safe; you should buy the firewall or get a friend with a more secure system to download one for you, since anything you download with your machine is suspect.

Hope this helped!

Maybe a machine was h4xx0red that routes traffic to the mentioned ip. Responses from the backdoor can be sniffed then. For those of you not feeling paranoid enough goto Project Honeynet and read about the challenges.

a safe, secure way of running Linux versions and Linux processes

Well, yes it is, but if you want to take advantage of the security, and debug processes in depth, then you might have some problems.

Many of you will probably remember the Reverse Challenge. One evening I downloaded the malicious binary, and decided that UML would be ideal to try running it in a tightly controlled enironment - using fenris to trace its execution and learn more about it.

Unfortunately, fenris doesn't work under UML (neither does strace if I remember correctly).

Shame. It's a lot cheaper than VMWare!

• Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the Internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours.
• The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet. Coincidentally, this was the first honeypot we ever setup, in March of 1999.
• A default Windows98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days.
• In May 2000, the first full month we archived Snort Intrusion Detection alerts, the Honeynet recorded Snort 157 alerts. In February 2001, the Honeynet recorded 1,398 Snort alerts, representing an increase of over 890%. This increase may be affected by modifications to the Snort IDS configuration file. However, we also see an increase of activity in the Firewall logs. In May 2000, the first full month we archived firewall alerts, the Honeynet firewall logged 103 unique scans (not counting NetBios). In February 2001, the Honeynet logged 206 unique scans (not counting NetBios). This represents an increase of 100%. These numbers indicate blackhat activity has continued to grow, most likely the result of more aggressive, automated scanning tools and their growing availability.
• In a thirty day period (20 Sep - 20 Oct, 2000), the Honeynet received 524 UNIQUE NetBios scans, averaging 17 unique NetBios scans every day.
• In the month of February, 2001, a total of 27 X86 exploits were launched against the Honeynet. X86 means these attacks were designed for systems using the Intel based architecture. Of these, 8 were launched against a Solaris Sparc system. These exploit attacks cannot work against the Sparc system, as the system architecture is not compatible. This indicates that some blackhats are not bothering to confirm what operating system nor what version of the service you are running. Some blackhats have streamlined their scanning process to merely look for a specific service. If they find the service, they launch the exploit without even first determining if the system is vulnerable, or even the correct system. This active approach allows blackhats to scan and exploit more systems in less time.
• From April 2000 through present, the most popular reconnaissance methods, besides general scanning, was DNS version query, followed by queries to RPC services.
• The most popular attack method was an overflow associated with rpc.statd for Intel based systems.
• The most popular scanning method detected was the SYN-FIN scan to search the entire IP range for specific ports (often in sequential order). This reflects the tactic of focusing on a single vulnerability, and scanning as many systems as possible for the vulnerability. Many blackhats only use a single tool or exploit that they know how to use, or is the most effective.

• Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the Internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours.
• The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet. Coincidentally, this was the first honeypot we ever setup, in March of 1999.
• A default Windows98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days.
• In May 2000, the first full month we archived Snort Intrusion Detection alerts, the Honeynet recorded Snort 157 alerts. In February 2001, the Honeynet recorded 1,398 Snort alerts, representing an increase of over 890%. This increase may be affected by modifications to the Snort IDS configuration file. However, we also see an increase of activity in the Firewall logs. In May 2000, the first full month we archived firewall alerts, the Honeynet firewall logged 103 unique scans (not counting NetBios). In February 2001, the Honeynet logged 206 unique scans (not counting NetBios). This represents an increase of 100%. These numbers indicate blackhat activity has continued to grow, most likely the result of more aggressive, automated scanning tools and their growing availability.
• In a thirty day period (20 Sep - 20 Oct, 2000), the Honeynet received 524 UNIQUE NetBios scans, averaging 17 unique NetBios scans every day.
• In the month of February, 2001, a total of 27 X86 exploits were launched against the Honeynet. X86 means these attacks were designed for systems using the Intel based architecture. Of these, 8 were launched against a Solaris Sparc system. These exploit attacks cannot work against the Sparc system, as the system architecture is not compatible. This indicates that some blackhats are not bothering to confirm what operating system nor what version of the service you are running. Some blackhats have streamlined their scanning process to merely look for a specific service. If they find the service, they launch the exploit without even first determining if the system is vulnerable, or even the correct system. This active approach allows blackhats to scan and exploit more systems in less time.
• From April 2000 through present, the most popular reconnaissance methods, besides general scanning, was DNS version query, followed by queries to RPC services.
• The most popular attack method was an overflow associated with rpc.statd for Intel based systems.
• The most popular scanning method detected was the SYN-FIN scan to search the entire IP range for specific ports (often in sequential order). This reflects the tactic of focusing on a single vulnerability, and scanning as many systems as possible for the vulnerability. Many blackhats only use a single tool or exploit that they know how to use, or is the most effective.

So will the activity of the RIAA show up in places like The Honeynet Project? (Look out blackhats and record execs!)

If so, we need more honeypots; if not, it's a waste of time.

Perhaps a honeynet on it's own is not terribly useful to the general population. However, the documentation, case studies and other material provided by this SPECIFIC honeynet project has enormous value. Their whitepapers are a very thorough look at real life hacking situations. I could see university classes formed based upon the research and publishing they have done.

As everybody knows, theory is great but real world examples can be just as, if not more, valuable. And here we have a project that has provided those examples.

Not at all true. Honepots have gathered a number of very interesting exploits long before they become publically accessible on common hacking webpages. Check out the honeynet project if you don't believe me. It stands to reason that a wireless honeynet would be just as useful for the same reasons, maybe even more since I would expect the odds of getting someone more sophisticated on a wireless intrusion are higher than random internet ip scans.

You mean like this program?

You can learn a lot about honeypots and network security in general on the Honeynet site. Browse the challenges, and the results, and be amazed ;)

Another name for your environment is "A Honeypot". A wonderful thing to have, once you're a bit more experienced and know WHAT to look for. In this case, WHEN to look for it is just as important. The Honeynet Project has TONS of fantastic info. Everyone should look there in their travels. Participating is recommended!

Or you just ask the people who have done just that, really good papers writups there, but ofcourse they are on internet->your net untargetted atacks only. this is how most targeted attackers would also start (i think), but there is always the insider employee factor :-(

It seems to me, by the way, that the winner did all of his analysis without ever once running the program -- it was all clever reverse-engineering and decompilation. His tactics for reconstructing the symbol table were especially enlightening to me, but it seems to me that the entire description of his method of analysis is a great read and a good walkthrough if you wanted to start learning how to reverse-engineer a program via decompilation.

It seems to me, by the way, that the winner did all of his analysis without ever once running the program -- it was all clever reverse-engineering and decompilation. His tactics for reconstructing the symbol table were especially enlightening to me, but it seems to me that the entire description of his method of analysis is a great read and a good walkthrough if you wanted to start learning how to reverse-engineer a program via decompilation.

Reading this I really understand why you would use this protocol for DOS attacks...

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.

I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.

Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.

The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."

the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.

The cost to contract out this analysis would most likely run at least $350 a hour. At that rate, the average cost for analyzing this binary would have been $28,000.

2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

The winner of the challenge noted in his writeup that 'Protocol 11 is reserved for the Network Voice Protocol (NVP-II, rfc741 for the curious). NVP-II is an old protocol, generally not considered to be in use today.'

Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

The binary doesn't use protocol 11 for it's DOS attacks, it uses three known attacks - a SYN flood, a 'jolt' attack (microsoft specific) and a DNS request flood. Protocol 11 was only used for communication between the handler and the agent. Try reading the winner's excellent writeup for more information.

2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

The winner of the challenge noted in his writeup that 'Protocol 11 is reserved for the Network Voice Protocol (NVP-II, rfc741 for the curious). NVP-II is an old protocol, generally not considered to be in use today.'

Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

The binary doesn't use protocol 11 for it's DOS attacks, it uses three known attacks - a SYN flood, a 'jolt' attack (microsoft specific) and a DNS request flood. Protocol 11 was only used for communication between the handler and the agent. Try reading the winner's excellent writeup for more information.

From the bonus questions:

Summary

The program was written in 2000, being inspired by the media attention of the trinoo and TFN DDOS tools. The programmer is most likely young with limited personal resources. The programmer has a low skill level and resorts to the "cut and paste" style of programming. The programmer possibly resides in Europe and socialises with other blackhat style programmers. The programmer is male, overweight and has no social life other than his computer. He wears glasses and was bullied throughout school. He uses computers as a way of getting back at the world which has maligned him. You decide where reality steps aside and Hollywood takes over.

Keyloggers are not new, and are mentioned here. Besides simply logging cleartext traffic (telnet), encrypted traffic can be logged on the host side before it is sent back over the wire (ssh) using a replacement shell (forwarding traffic to syslogd), ttywatchers or the *trace tools.

I believe this is the technique used to log outgoing ssh traffic from a compromised machine, particularly but not limited to the case of common rootkits which drop replacement sshd[s].

The zdnet text is sensationalist, but that doesn't mean it isn't technically possible.

Gmanske.

Read the challenge and results from last year. Great stuff!

while honeynet.org and www.honeynet.org are (still) down, the main project page can be reached here

Not everybody serves their dot-org like slashdot. Here's the real link : WWW.honeynet.org.

Or maybe they were just trying to keep it from being slashdotted! :)

Last year the Honeynet Project sponsored the Forensic Challenge,
a competition amongst the security community to study, analyze,
and report on a computer hacked in the wild. The result was a
complete forensic analysis of the hacked system. Both the analysis
from different individuals and the the images of the hacked
computer are shared and used to this day.

This year we are continuing that tradition and are announcing the
Reverse Challenge. The goal of this challenge is to develop reverse
engineering skills amongst the security community. Your mission, if
you should choose to accept, is to analyze and report on a binary
captured in the wild. Your analysis will then be judged by a panel
of experts, rated, and shared with the security community.

This year we actually have prizes. Top prizes include licensed
copies of IDA Pro, $200 Amazon gift certificate from DataRescue, and
free pass to the Black Hat Briefings. As if that was not enough, the
top 20 entries get a signed copy of the Honeynet book, Know Your Enemy
(you know, the book the guy down the hall is using as a door stopper :).
Judges include:

- David Dittrich
- K2
- Halvar
- Job de Haas
- Niels Provos
- Gera

The challenge officially begins Monday, 06 May when we release the
binary. You have between now and the 6th to get your tools ready,
form teams if you wish, and stock up on the caffeinated beverage of
choice. You will then have four weeks to complete your analysis and
submit your report no later the 24:00 GMT, Friday, 31 May. Submissions
will be judged and then released 01 July. You can learn more about the
challenge now, and download the binary on 06 May, at

http://project.honeynet.org/reverse/

All question, concerns, and submissions should be sent to

We hope that the community has fun with this, with the ultimate goal
of learning and sharing. Let the games begin!

--- The Honeynet Project

PS, the person who hacked our Honeynet is not eligible to submit an entry,
you know who you are. The question is, do we? .... :)

honeypot

can't wait to see the logs from these babies!

That was a default server installation. At the time everyone admitted that the default server install was quite insecure. But it is hardly fair to call it a "typical installation". It was something that almost everyone knew was insecure, whether or not they knew what to do about it.

Unfortunately I wish this was true. A large part of my job involves building (or helping people build) Red Hat boxes as firewalls or samba servers. They can send their server to me, and I will setup their system in a secure and functional manner. Up until RH 7.2 came out (I will not use any RH distro until it ends in a .2) we were using 6.2, and it had, as many have noted bad holes in the inital install.

Most of these things could be fixed by bastille, but I personally prefer to do everything manually, so I know it gets done.

However, many of our customers, and a networking company that we are affiliated with often perform their own installs. These are installed often with 6.2 in a "default" install (because the people installing don't know what to adjust, despite the documentation we have provided for free..).

I won't comment on how many of these things have been owned. (True, I have seen NT servers get owned in the same environment/manner, but I work far more with Linux.)

I can remember one distinctly that I was taking a look at because it was operating improperly. It was only connected to the net for about 10 min so that a bunch of RPM's could be downloaded. In that time it got hit by a scanner and a script, and was owned. I first discovered it by accident, troubleshooting this server for the guy who set it up, and I noticed that "ls -alh" did not work properly. The "-h" flag was not functioning. I could not figur out why... Then I ran an MD5 sum on ls and found it did not match with known good binaries. Most of the binaries on that system were fsked with. We formatted, and I reinstalled and configured the system for him.

Of course, it has happened to me too, I have made some mistakes (and learned a great deal from them too...) You should check out (as another poster mentioned) the honynet project and try building your own honeypot and see how fast it gets owned. Of course, if you are monitoring your logs (logcheck!), or using tools such as portsentry you should see hits on a regular basis to your outside systems on your network. If you are *NOT* looking for these things, I pity you. Hell, I just went through a great deal of trouble with the latest SSH bug, not a fun time when you find the crc messages in your logs. (Sure, as an admin I could have fixed it faster, but I was on vacation, and I did not get the alert.)

So, unfortunately, I must disagree that the "default" installation (from what I have seen) is far far too often the typical installation. Heck, up until recently the "default" installation was used on a regular basis by most of the members of our LUG!

I wish this were not the case, I really do. It is not what I have witnessed however.

Redhat 6 typically lasts less than 72 hours.

"Bother," said the Borg. "We've assimilated Pooh."

Ah, now there's a way to defeat the Borg that was never tried on Star Trek... offer up Pooh as bait and then after his consciousness has been assimilated, point the Borg at the HoneyNet project.

This Article now moved here (mentioned in this story) gives quite some insight into the psychology of script kiddies.

It is basically about a sysadmin who tracks the people behind the DOS attack and observes them for a while.

Quite interesting read, too paule_

If you get hacked, simply restart your machine, and you are back to factory settings.

And are hacked again in 15 minutes.

This is why computer forensics are important.

Well, according to the HoneyNet Project

"....we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours."

And that's the problem. The distros boot up just fine. Until recently, most distributors gave no thought to security and tended to install everything enabled by default; With no firewall or access lists. Sure, an experienced user can patch and tighten an old version of linux but as it has been pointed out, those people won't be getting linux from the library. And setting a newbie up with one of these old distros is just asking for trouble.