Hey,
I was wondering whether there are any public honeypot logs that are updated in real time?
I was thinking it would be cool to distribute a freeware proxy for Win32. It would forward connections back out to a public honeypot server, which would display all it's statistics in real time via a website.
Sortof a volunteer network for shining a light on nets that hackers originate from.
Anybody doing this?
-Matt
With the crackers creating malware that is trying to hide from scanners, it would kinda defeat the purpose of a honeypot if the ip addresses were public would it not?
Howdy,
The address of the server would be public, but the fact the cracker is/was connected to it wouldn't be emediately decernable. Say a Win32 dialup box (IP assigned by LCP) sported a proxy on TCP port 6000. It recieves a connection, forwards that connection to the public honeypot server. Cracker thinks he's connected to a dialup box running an Xwindows server, but instead is connected to the honeypot.
Of course, this doesn't stop infection via Java applets and activeX and the like, but in those cases their are often subsequent connections used to upload trojans, and those would be potentially forwardable to the honeypot. (I caught one of these on a search engine advertisement today, one of the bigger engines too.)
I guess you would have to introduce some sort of delay between hit and publish, otherwise the cracker would just moniter the server as he's scanning to filter out the watching hosts. So figure a 24 hour delay to allow dialups to to disconnect and reconnect with a different IP address.
Does that answer your question? I wasn't quite sure what you were getting at.
-Thanks!
-Matt
Trying to catch someone like that risks the operator of the honeypot being sued for entrappment.
Someone obvisously doesn't know what entrapment is.
BS, and it's done all the time.
I have my web servers logging to a MS SQL server for commands that don't validate, then provide those as summary and detail lists for customers to use in their firewall block lists or other uses.
I would also have to disagree w/ the entrapment angle. Similar things have happened IRL. It is really just a community watch set up in virtual space.
You might even configure it similar to an RBL, where subscriber clients would have the option of null-routing infected nets in real time. End result is that ISP's supporting hackers would start loosing visibility unless they stay on top of their own users. That probably _would_ get you sued, but I expect existing RBL lawsuits would provide good supporting precedent.
-Thanks
-Matt
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.