Good day, all,
        My ideal honeypot would include the ability to monitor what the
attacker was doing; what are they typing and what do they see on their
screen. Up until now, to the best of my knowledge, the best solutions
have been to patch bash to log keystrokes, and to monitor the data streams
with snort and view them after the fact. The first approach only shows
keystrokes, but not screen output, and is also dependent on replacing
bash. The second approach fails if the attacker encrypts their traffic
over the wire.
        A third (not necessarily better, but different) approach is to get
the kernel to log all data traveling over the pty to a file. In this
patch to a User-Mode Linux [1] kernel, the kernel logs all keystrokes and
screen output, even if the user is encrypting their traffic! No
modifications to userspace applications are needed. The log files are
stored on the hosts hard drive, so the attacker can't delete them, and no
applications inside UML can tell they're being logged. You can monitor
the attacker in real time with tail -f on the log file. Although all
normal keystrokes show up twice in the log file to do so, this even
captures passwords which are not echoed to the screen. Seperate ptys
(pty1, pty2, etc.) are logged to different files, but the files are reused
when someone logs out and then logs back in on the same pty.

        *smile*

        There are a number of different ways the logging could be
accomplished; seperate I and O log files, timestamps added or not,
sessions broken out to different files, etc. We propose this as a
starting point for further customization and don't suggest that it's
perfect for everyone. We chose this format to start for the reasons
listed above and for simplicity.
        Like the Linux kernel and UML code it patches, this code is
released under the GPL. It's Copyright 2002, Jeff Dike
<jdikekaraya.com>. The work was funded by ISTS.
        The only method we're aware of to circumvent the logging would be
for the attacker to install a replacement shell that accepts encrypted
commands and executes them. Note that simply coming into the system with
a standard or trojaned version of ssh is not enough to hide one's actions;
the patch pulls its keystrokes and screen output from the pty terminal
driver.
        The patch does not, in its current form, capture all traffic over
network sockets, fifo's etc. It could be modified to do so, but this
runs a much larger risk of the attacker overflowing the logging space on
the host drive.
        The permanent location for this patch is
http://www.stearns.org/patches/ . The current version of this patch is
called 2.4.19-uml-logging-patch .
        Cheers,
        - Bill

[1] http://user-mode-linux.sourceforge.net

---------------------------------------------------------------------------
        "When I despair, I remember that all through history the way of truth and
love has always won. There have been tyrants and murderers, and for a time,
they seem invincible, but in the end, the always fall. Think of it - ALWAYS."
        -- Mohatma Gandhi
(Courtesy of Carole C. Pratt <Carole.C.PrattDartmouth.EDU>)
--------------------------------------------------------------------------
William Stearns (wstearnspobox.com). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.stearns.org
--------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]