Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A few month ago, my Redhat Linux 7.0 got hacked and appeared become hacker's bot, due to early version of named security holes. But I never figured out completely what's been installed, and what kind of files been altered. Later I got upgraded to RH7.1 and hope now its ok. But I still see quite hacking attempts as indicated in /var/log/http/access_log, a couple of examples:
They are probably young kiddies trying to find some fun over the net. I wonder if there are some tools available, so when such hacking attempts been received by server, it will either respond with a false Winnt command prompt, or have a game program opened for the hacker to play. Whatever they attempt to do, there is option to log to a file. And perhaps use their hacking connection to find services or security holes on hacker's source computer. Any suggestions?
My question was where I can find tools, so I can turn such attemps to some decoy directory, where it may appear to be NT to hackers, they'll thought they got into a NT system, using monitoring tools or log to find the intruder's intention or its hacking techniques. Obviously in the last two instance of hacking attempts, hackers were trying to test my system see if they could get a NT command prompt. I'd like to give them the screen, so, they might think they got the administor's cmd prompt. Then I can what' they'll do next. Are there any place to find for such decoys?
thanks.
In general there is no way you will want to set up a live system and want intruders to muck 'n trash it, for their fun.
Better set up a decoy system for looking at/learning from and call it a "Honeypot".
See Spitz's work including the "Know Your Enemies" at http://project.honeynet.org/.
A honeypot is basically a "normal" server put up outside the DMZ perimeter, which you would take down after you got notified it's been hacked, or get nightly images from to study what's been done.
Then, IMHO, there's no way you can fake cmd.exe on a nix box (had some W2K shellscripting to do tonite) and they aren't looking for a shell prompt anyway, the cmd.exe is just there to execute the rest of their exploit with.
Read more on IIS vulnerabilities at http://www.sans.org,http://www.cert.org,http://www.neohapsis.com and http://www.securityfocus.com. Secfocus has some good newsletters/mailinglists as well and neohapsis has some ml's archived. (strange... now why didn't I point to microsoft as well...)
I'm sorry to say but if you haven't got a clue what they are up to, don't burn ure hands. Better invest your time in reading and setting up Snort http://www.snort.org which can notify you for incoming hostilities based on it scanning traffic for certain signatures.
Thank you very much unSpawn for the great links.
I think I have found some which seems attractive: http://www.all.net/dtk/dtk.html
Btw, you mentioned honeynet.org, I didn't see they have released any programs. Have you seem any?
thanks again.
Heh, no, honeypot.org doesnt do apps, they just observe, and once in a while you are allowed to break into a honeypot.
they also got a feature called "Scan Of The Month" where you can guess at what tools ppl are using against a host from the signatures, dumps etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.