OpenBSD Journal

Hacked OpenBSD 3.0 Honeypot

Contributed by jose on from the drawing-the-flies dept.

Recently seen on the SecurityFocus hosted honeypot list, an OpenBSD 3.0 honeypot was compromised. The data was captured and analyzed, and they have put together a report summarizing their findings. I had been putting this off a while, hoping for some more analysis (such as the affected files, traces others can use to determine if the same methods were used against them, etc), but I am sharing it anyhow. Another OpenBSD user recently posted their brief analysis of a compromised OpenBSD system. Hopefully others can make use of this information and detect intrusions more readily.

(Comments are closed)


Comments
  1. By francisco () on http://www.blackant.net/

    what is channel #exo and is it related to /usr/lib/exo00 that was mentioned recently on misc@? some dude bought what appears to be a trojaned unofficial openbsd cd which was running /usr/lib/exo00 and since the name is similar i was wondering just what exo is supposed to be.

  2. By Anonymous Coward () on

    From the IRC log it seems that at least two of the script kiddies were Norwegian.

  3. By skull () on

    This report doesn't seem very useful, unless getting to read irc logs is the point.

    Nothing here seems to be particularly unknown.

    This honeypot is more like a fly trap. Where are the bears?

  4. By fansipans () on

    posting entire irc logs as a part of a honeypot 'research project' is nothing more than giving shout outs to the script kiddies. they're that dumb. if i worked to secure department stores from midnight break-ins, and i went to a conference for department store security dudes to describe the experiences i've had repelling and dealing with intrusions... the last thing i would bring to the conference is an audio tape of everything they said to each other , if i did i *might* put it on a tape and say 'if you want a copy of what these people said then see me' but play the whole thing during a presentation? no way.

  5. By Baetis () on

    Ronn|e!~Stargazer@stargazer.counterstrike.at :getting a new one, with the buffer explit thingie or whtever is called, hopefully
    script kiddies are the worst...if my openbsd boxes ever get hacked, i hope the guy at least knows what he's doing...

  6. By Concerned Potential User () on

    I was looking to try out the 3.1 version of OpenBSD but then I followed the thread mentioned in the "their brief analysis" link.

    OMG, I think Theo de Raadt has to grow up. A user gets hacked and posts an informative FYI, next thing you know, the user is being called ingnorant, stupid, etc. In the end, Theo turns to racist sarcasm. Unbelievable.

    Needless to say, I'll have to defer evaluating OpenBSD until certain developers attain the same level of maturity as the code.

    O%

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]