In order to cope with encrypted ssh sessions we installed on our honeynet
the modified bash version provided by the honeynet project. But it relies on
syslog to send its info to a remote server. We recently encountered a
t0rnkit version that replaces syslogd by a trojaned version so we decided to
patch the syslogd code to make it more difficult for a script kiddie to
interrupt the remote logs.

A hidden syslog daemon processes the log records before forwarding them to
the regular syslog daemon or a trojaned version.
For this purpose we patched the glibc library so that openlog uses an
alternate unix socket and we patched syslogd so that it forwards the records
to /dev/log

See http://nccsec.edge.nc/syslog_forwarder.htm for more info

Franck

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]