Jeremy,

These might actually be encrypted binaries. The password is used to
unlock them (of course :). The password (nor anything else) would show up
in strings. A tool called burneye can be used to do this. There is also a
Phrack article (the latest I believe) that discusses encrypting binaries.

Keystroke logging is very useful here to catch the password.

Mike

On Fri, 17 May 2002, Jeremy wrote:

> Hello all,
>
> I've been running a RedHat7.2 vmware honeypot for about a month now and have gotten 5 breakins. After they run the exploit they tend to ftp to get their tools, so I go to the ftp site and grab whats there. One thing I have been running across is several different tools have been password protected. Is this something new they are doing? I've never heard of this before.
> I've tried to run strings against the tools to see if I can pick up the password, but I havn't had any luck. Are there any other ways to find the password to these tools? Also, what about the trojaned sshd's they always install, is there a way to find the "secret" password they use to get back into the compromised system?
>
> Thanks,
> Jeremy
>

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]