Hacked OpenBSD 3.0 Honeypot

Contributed by jose on 2002-09-08 from the drawing-the-flies dept.

Recently seen on the SecurityFocus hosted honeypot list, an OpenBSD 3.0 honeypot was compromised. The data was captured and analyzed, and they have put together a report summarizing their findings. I had been putting this off a while, hoping for some more analysis (such as the affected files, traces others can use to determine if the same methods were used against them, etc), but I am sharing it anyhow. Another OpenBSD user recently posted their brief analysis of a compromised OpenBSD system. Hopefully others can make use of this information and detect intrusions more readily.

(Comments are closed)

Comments

By francisco () on 2002-09-08 19:05 http://www.blackant.net/

what is channel #exo and is it related to /usr/lib/exo00 that was mentioned recently on misc@? some dude bought what appears to be a trojaned unofficial openbsd cd which was running /usr/lib/exo00 and since the name is similar i was wondering just what exo is supposed to be.
By Anonymous Coward () on 2002-09-08 22:08

From the IRC log it seems that at least two of the script kiddies were Norwegian.
By skull () on 2002-09-08 23:06

This report doesn't seem very useful, unless getting to read irc logs is the point.

Nothing here seems to be particularly unknown.

This honeypot is more like a fly trap. Where are the bears?
By fansipans () on 2002-09-09 00:26

posting entire irc logs as a part of a honeypot 'research project' is nothing more than giving shout outs to the script kiddies. they're that dumb. if i worked to secure department stores from midnight break-ins, and i went to a conference for department store security dudes to describe the experiences i've had repelling and dealing with intrusions... the last thing i would bring to the conference is an audio tape of everything they said to each other , if i did i *might* put it on a tape and say 'if you want a copy of what these people said then see me' but play the whole thing during a presentation? no way.
By Baetis () on 2002-09-09 12:35

Ronn|e!~Stargazer@stargazer.counterstrike.at :getting a new one, with the buffer explit thingie or whtever is called, hopefully
script kiddies are the worst...if my openbsd boxes ever get hacked, i hope the guy at least knows what he's doing...
By Concerned Potential User () on 2002-09-11 05:13

I was looking to try out the 3.1 version of OpenBSD but then I followed the thread mentioned in the "their brief analysis" link.

OMG, I think Theo de Raadt has to grow up. A user gets hacked and posts an informative FYI, next thing you know, the user is being called ingnorant, stupid, etc. In the end, Theo turns to racist sarcasm. Unbelievable.

Needless to say, I'll have to defer evaluating OpenBSD until certain developers attain the same level of maturity as the code.

O%

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]