How many people make use of one of these? How useful are they? How many log files have you turned over to the FBI?

I know of a guy who runs one, its behind several firewalls, so if anyone other than he accesses it, it can only be with malicious intent. He has a mean little assembler code payload that it sends to the intruder, which, if they have a flashable cmos on their motherboard, it will tell the system to flash it blank. He just recently turned in a stack of packet traffic logs to the FBI, and some guy in florida with a computer that no longer works, will be getting a knock on the door from the FBI.

I have done it in the past, its really only good if you have a large network and the systems are co-located...otherwise its virtually its sortive pointless.

Honeypots are a lot of up keep, I wouldn't use one unless I had slightly under 100 servers.

Can you explain what a honeypot server is? I can't find much info about this anywhere.

To make it short, a honeypot server is a vulnerable server that you place in a network, but you install monitoring software on it, anywhere from keyloggers, packet sniffers etc just to see if anyone has malicious intent etc.

Assembler Code Payload, right. You do realize that the person breaking into said honeypot would have to actually RUN that little program which he obtained from said honeypot server on his computer for that to work, right? Furthermore, the intruder would have to be running whatever operating system said binary was compiled for. That's a whole lot of assumption going on there; either your 'friend' was just bull****ting to impress you, or he isn't too bright.

A little knowledge is more dangerous than none at all when it comes to the propagation of misinformation.

The guy who did this is the Unix System Administration professor at a local college, who also works for a small ISP. The assembler code is not OS specific, but hardware specific, as it is machine language (assembler, not assembly)

I havent personally seen evidence that it does what he says it does, but his background gives him credibility, and other friends of mine at SD School of Mines and Technology (big engineering school) can verify that such things are possible when written in low level languages. It is possible to write viruses that destroy hardware with these ultra-low level languages, but not many people want to take the time to learn, and those that do, know better than to use such a virus. Most viruses are written by people who downloaded easy to use tools that make use of windows exploits.


-- On another note, to answer the question of what a honeypot server is, a Honey pot server, like said above, is a server that is set up, with loose security, made to look important, to lure would be hackers into that system, rather than your actual systems. All actions are logged, including all packet traffic, so that in the case of a breach, it is easier to find the perpetrator. Honeypots are also usually set up in a way, that the only way they can be accessed is if it was malicious intent, (ie, behind a firewall)

Originally posted by amish_geek
The guy who did this is the Unix System Administration professor at a local college, who also works for a small ISP. The assembler code is not OS specific, but hardware specific, as it is machine language (assembler, not assebly)

I havent personally seen evidence that it does what he says it does, but his background gives him credibility, and other friends of mine at SD School of Mines and Technology (big engineering school) can verify that such things are possible when written in low level languages. It is possible to write viruses that destroy hardware with these ultra-low level languages, but not many people want to take the time to learn, and those that do, know better than to use such a virus. Most viruses are written by people who downloaded easy to use tools that make use of windows exploits.


I guess you didn't understand what I was saying, no biggie, I'll clarify. There has to be a delivery method. File transfers don't magically happen unless the client either A) Has a trojan'd application on his client computer, or B) The client initiates the transfer. Assembler code, believe it or not, STILL has to execute, and that execution has to be triggered. Hope that clears up your misconceptions.

I won't bother listing my qualifications, as I've had other PhD's tell me that the world was flat; it's all sort of non-relevant in an argument based on hard fact.

Originally posted by amish_geek
The guy who did this is the Unix System Administration professor at a local college, who also works for a small ISP. The assembler code is not OS specific, but hardware specific, as it is machine language (assembler, not assembly)



Sorry; but I don't care what kind of background/experience he has under his belt.

He's full of it.

We do something similar, but we don't take it as far as setting up a server.

We have some firewall rules that are set to trigger only when specific IPs are accessed. When that rule is triggered, it creates a temporary firewall rule that denies access to any of our network from that IP until the temporary rule times out from not having any activity.

The IPs that trigger the rule are not used for anything except catching network scanners and blocking them from our network. We use one in each subnet we use on our network.

And thats your opinion, and you are entitled to it.

If I can get ahold of his code, would you be willing to disprove it, by allowing me to send it to your computer?

Anyways, this is getting off topic, the original question was about honeypots, and who has/uses them.

Originally posted by advantagecom
We do something similar, but we don't take it as far as setting up a server.

We have some firewall rules that are set to trigger only when specific IPs are accessed. When that rule is triggered, it creates a temporary firewall rule that denies access to any of our network from that IP until the temporary rule times out from not having any activity.

The IPs that trigger the rule are not used for anything except catching network scanners and blocking them from our network. We use one in each subnet we use on our network.

What firewall programs did you use to set that up with? That sounds like a valuable thing to have if you cant afford a whole separate server for it. Does that just run on one of your shared servers then?

Originally posted by amish_geek
If I can get ahold of his code, would you be willing to disprove it, by allowing me to send it to your computer?


This code would hold every computer connected to the internet up for ransom. Impossible unless their is a serious bug in every operating system.

Originally posted by amish_geek
What firewall programs did you use to set that up with? That sounds like a valuable thing to have if you cant afford a whole separate server for it. Does that just run on one of your shared servers then?

We just put those 'honeypot' IPs on any server we feel like.

The firewall software sits at the edge of our network as part of our bandwidth management solution. You can get the software from ET, Inc. (http://www.etinc.com) as software only or as part of an appliance solution.

Just be forewarned, while the software is relatively good, don't expect any support from ET, Inc. It's a one man show and the guy appears to hate all customers. We get flamed every time we ask him for help with the software. We've got a nice little thread about that on our forum (http://forum.schmolie.com/index.php?showtopic=1031) .

Originally posted by mpalamar
This code would hold every computer connected to the internet up for ransom. Impossible unless their is a serious bug in every operating system.


you mean like windows? :D:D

Originally posted by amish_geek
And thats your opinion, and you are entitled to it.

If I can get ahold of his code, would you be willing to disprove it, by allowing me to send it to your computer?


I will be more than happy to connect to a computer with this code on, using any standard protocal, and allow you to use whatever method you supposes that he uses it to magically push this code to the client computer and execute it on any operating system the client is running.

In a perfect world, you'd be laughing when you read your original post, too. Now, I'm really not trying to be mean or anything, I'm just stating fact. Your friend is full of **** if that's actually what he told you, or just told you half the story.

Cheers,

Also amish_geek, I just noticed, while visiting the sites in your sig, that your gaming site is hacked. Might want to focus on increasing your security before you worry about honeypots in general.

Originally posted by amish_geek
He has a mean little assembler code payload that it sends to the intruder, which, if they have a flashable cmos on their motherboard, it will tell the system to flash it blank.

This is just a LITTLE bit on the illegal side I'm pretty sure. Goes along the lines of 2 wrongs don't make a right.

Originally posted by webworkz
Sorry; but I don't care what kind of background/experience he has under his belt.

He's full of it.

Sums it up nicely.

If it's super-hip-hop protected, no way is the hacker going to download a binary on his own volition (shell is not going to automatically send a file) and then execute it.

OH wait, did he name it "run this to get all the super-secret awesome info stuffs.exe"? That might work.

One step further, he would be liable for any damage caused by this application. Yes, we live in a country where if someone breaks into your house and breaks their leg doing it, you are legally responsible.

It shouldn't be illegal, even if it is. I'd simply state that the file was there for my own personal use, I had a need to turn some old motherboards into doorstops or what-not. I did not give this guy access to my server to download this file; instead he hacked his way in, and stole my file.

And of course sue the guy for all he's worth, since he stole your intellectual property.

You might could get away with that, but in general, yes it is illegal to cause harm to their system for instance if they tried to hack into your system and it started DoS'ing them back or something. And I still say do some research on the honeypot thing, the government (US state governments) doesn't seem too keen on them.

That's why you don't actively attack them. Make them break into the server, STEAL your file, then run it.