> I have two honeypots with one ip address away (systems are Win2000
> Server SP3 and Debian 3.0r0), and this make me think about the fake
> contents of the honeypots (i.e. webserver contents) what can attract
> intruders to one or other system. Which contents are more susceptible to
> be hacked? In a campus network, maybe a fake qualification DB Server?
I've found the vanilla "You've installed Red Hat! Congratulations!"
page always attracts script kiddies. Makes it look like you don't
even know what software you installed. Or perhaps it is just neutral,
and the kiddies would have found it regardless.
What I've done in other cases is take an existing website of mine
and mirror it to the honeypot. Then you modify each page in the
same way to contain something indicating this is the staging or
beta site. This is a quick way to get lots of content without
doing much work, and makes it seem like the machine does have an
authentic purpose. It also tends to indicate that somehow this
machine will interact with the real server (be it a push or pull
to 'publish' the data) and that is also appealing.
Although I can't say these have had better success in attracting
folks, the intruders do have more interesting activities when they
get there.
--
Brian Hatch "Enthusiasm, sincerity,
Systems and genuine compassion, and
Security Engineer humor can carry you through
http://www.ifokr.org/bri/ any lack of prior experience
with high numerical value."
Every message PGP signed
- application/pgp-signature attachment: stored
Received on Dec 13 2002
Intro
