|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Lee Brotherston (lee.brotherston
uk.easynet.net)Date: Wed Jan 30 2002 - 13:07:39 CST
| I'd like to dig a little deeper into these SubSeven scans I'm
| getting all
| the time. Does anyone know of some code that will listen on
| the port, and
| pretend to be a SubSeven server? Logging the comamnds sent?
| Back Office
| Friendly does something like this for Back Orifice. I'm
| flexible on the
| platform it can run on.
I think if you want to test the SubSeven traffic in the strictest honeypot
fashion, then putting something that simulates a SubSeven server is not
really the way to go. If you want to see what someone really does, I would
suggest actually running SubSeven for real!
If you get some el-random Windows box and install a SubSeven server on there
with default passwords so that they can get in easily. Make sure that the
box is on a totally untrusted network and cannot do any damage even if
completely owned. Then find some way of monitoring the traffic going to it,
and log that traffic, most trojans like SubSeven have their commands sent in
clear text so this is a perfectly valid way to check.
There are a few ways you could check the traffic. Place another machine
infront of your victim box, running as a transparent bridge with logging
facilities enabled. Or put a machine on the mirror port of the switch that
you are plugged into and sniff the traffic. Or install victim windows box
in something like VMWare on a Unix box, which can then sniff the inbound
traffic :)
Hope it helps
Lee
-- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444--------------------------------------------------------------------- To unsubscribe, e-mail: honeypots-unsubscribe
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]