|
Honeypots
mailing list archives
Re: Does it really take so long to get a bite?
From: Chris Reining <creining () packetfu org>
Date: Sat, 7 Dec 2002 12:02:28 -0600
On Fri, Dec 06, 2002 at 11:52:54AM -0600, marc wrote:
We set up a honeynet two weeks ago. So that its not too simple (didnt
want to just capture the first script kiddy), the only vulnerability on it
is an old openssh.
I had an OpenBSD 3.1 honeypot running a vulnerable version of SSH that was compomised in 2 days...
Watching the logs, the chkrootkit, the ids, the network traffic, etc, show
us nothing! lots and LOTS of scans, mostly for nbname.
How long does it take to get a hit? Previous reading and anecdotes said
that some boxes are compromised within 15 mins of being hooked up to the
network.
I had a vanilla Redhat 6.2 box that took over 3 weeks to get compromised by an autorooter. I think that the TTL of a
honeypot depends entirely on different variables like the ISP (from what I've seen, different ISPs/netblocks get
scanned at different frequencies) and the latest and greatest exploit that the kiddies have. For instance, after a
major software vulnerability is discovered and an exploit released there will be a sharp increase in scanning for
vulnerable systems which will slowly decline over time.
Chris
 By Date 
By Thread
Current thread:
| 
Intro
