On 18 sept. 2004, at 15:05, Craig Edwards wrote: > as ive read this is an attack from some kiddie trying to build a > floodnet. > > records show that most of the compromised boxes are linux machines > which end up having suckit rootkit and an energymech installed on > them, i dont know if the attacker has ever gotten into a freebsd > machine and what they'd do if they did. > > On my machines i have a dummy shell which APPEARS to be a successful > login but just returns weird errors (such a "Segmentation Fault") or > bad data for all commands that are issued, while also logging their > commands. im tempted to put this on the 'test' account and let them in > on this shell to see what is attempted. just to clarify, if i did such > a thing theres no way for them to break out of the shell, right? its a > simple perl script, so if the perl script ends, theyre logged off? > This is what i expect to happen however i don't want to risk it unless > its 100% safe... And just to clarify again all commands that are > issued from this fake shell never reach the REAL os, even "uname" > returns a redhat 7.2 string when the real machine is actually freebsd > 5... > I wouldn't do that if I were you, I think it's more interesting and safe to create a full jailed system, with a honeypot running in this jail (but well, honeypot has to be legal in your country, and that is not the case everywhere) patpro -- je cherche un poste d'admin-sys Mac/UNIX http://patpro.net/cv.php _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"