[plug] Building a "minefield/tarpit" for worms

Matt Kemner zombie at penguincare.com.au
Wed May 31 13:13:24 WST 2006 

On Wed, 31 May 2006, quoth Shannon Carver:

> Yea, that'd be great to watch live.
>
> Give them access to a chroot'd dummy drive and just watch what they do,
> delete logs, install nasty scripts etc etc :P

I'm in the process of rebuilding a linux server now, which was compromised
this way (weak root password) - new customer rings me up, says their linux
server isn't working properly, can I help?  It's hosted in a datacentre
and they can no longer log into it as root, or any other user.

I booted up from a USB memory key and mounted the drive, and the
/root/.bash_history is very informative.  They changed the root password,
and then removed all user accounts (obviously didn't care if they got
caught) and then downloaded some tools and then used this server to scan
for other servers with weak passwords.

I have a copy of the password list they use as well as the scanning tools,
and the yahoo email address they email the results to (which is probably
long gone by now)

I agree with what others have said, it's pretty much a waste of time
setting up a tarpit, because their MO is to compromise many servers around
the world (preferably on fast links like this one) and then use those to
do the scanning.  You might be able to slow one of them down (and I doubt
that) but it won't affect their operation by much at all.

btw if you ever suspect a server has been compromised (rootkitted)
try this command:

"echo /var/tmp/* /var/tmp/.*"

Almot every server I have seen that has been rootkitted (and I have seen
more than I can count over the past few years) has had stuff "hidden" in
"/var/tmp/.. " (note the space) or "/var/tmp/.~" or whatever. It seems to
be a favourite hiding spot for most script kiddies.

Using the echo avoids using /bin/ls which is often replaced as part of the
"rootkit" with a binary that does not show their hidey hole of choice
(eg it does not list directories called ".~")

This particular server had "/var/tmp/.~" and "/var/tmp/ "

 - Matt Kemner
  Penguin Care		Tel: Perth 08 9322 3444	Brisbane 07 3337 9988
  Mob: 04 1175 6910	Fax: Perth 08 9221 3444	Brisbane 07 3337 9977

More information about the plug mailing list