76126207

project – 05.03.2002

Originally written 05.03.2002.

• downloaded the bash patch from http://project.honeynet.org/papers/honeynet/bash.patch and the bash-2.03 source RPM from ftp://ftp.redhat.com/pub/redhat/linux/6.2/en/os/i386/SRPMS/bash2-2.03-8.src.rpm. Installed the source RPM, copied the patch to the /usr/src/redhat/SOURCES/bash-2.03-syslog.patch and commented out the other patches in the RPM spec file. The changes I made are here:
  

  10,16c10,15
   Patch0: bash-2.03-paths.patch
  > Patch1: bash-2.02-security.patch
  > Patch2: bash-2.02.1-arm.patch
  > Patch3: bash-2.03-profile.patch
  > Patch4: bash-2.03-bash2.patch
  > Patch5: bash-2.03-requires.patch
  44,52c43,50
   _distribution
   _patchlevel
  ---
  > %patch0 -p1 -b .paths
  > %patch1 -p1 -b .security
  > %patch2 -p1 -b .arm
  > %patch3 -p1 -b .profile
  > %patch4 -p1 -b .bash2
  > %patch5 -p1 -b .requires
  > echo %{version} > _distribution
  > echo %{release} > _patchlevel
  	

  I then tried to build a new RPM with the command “rpm -bb –clean –rmsource bash2.spec” and the bash executable compiled fine, but something messed up on the documentation. So much for building an RPM.

• copied the modified bash files to the honeypots. overwrote the normal /bin/bash with the patched version. deleted /bin/tcsh and /bin/csh. /bin/bash2 and /bin/sh are already symlinked to /bin/bash.
• here’s a look at some logged shell commands on hermione sent to the remote syslog server, ron:

  May  3 07:29:31 xxx.xxx.xxx.xxx bash: HISTORY: PID=572 UID=0 cd /bin/
  May  3 07:29:31 xxx.xxx.xxx.xxx bash: HISTORY: PID=572 UID=0 ls
  May  3 07:29:34 xxx.xxx.xxx.xxx bash: HISTORY: PID=572 UID=0 ls -l sh
  	    

• note that this type of dcap isn’t particularly effective since any cracker worth her salt is going to replace the shell as soon as the box gets rooted.
• modified my honeynet setup scripts to copy common files to the mounted honeypot filesystems.
• began looking at the firewall configuration. i’m going to use iptables to start to keep things simple. figured a good place to start would be the honeynet projects sample iptables config at http://project.honeynet.org/papers/honeynet/rc.firewall. looks like i should read the NAT howto and the packet filtering howto at http://netfilter.samba.org/documentation/
• changed the networking of the virtual honeynet so the honeypots have unroutable ips (192.168.0.*) because it seems like the honeynet project’s firewalling script wants to do nat. who am i to argue?