Help with debug mode needed

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



All;

  I'm working on an ssh honeypot to analyze botnets, and I'm trying to find the chunk of code that specifies the following (like in Kippo)

TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] outgoing: aes128-ctr hmac-sha1 none
TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] incoming: aes128-ctr hmac-sha1 none

I was able to find the section in sshd.c where I can log the client name and port,
and the section in auth.c where the password is cleartext, but I have no idea what I'm really looking for for finding the protocols.

I honestly have no idea where I should really be looking.  If somebody can point me in the right direction (or send a code fragment) I'd really appreciate it.  I'll post a link back to the mailing list of where everyone else can find the completed code if I get some help.

(BTW: It's live already at http://longtail.it.marist.edu and I've already found and/or analyzed 9 botnets.  Having better information on who's attacking will make it easier I hope to bunch them all together).

(And no, I'm not rising to the bait about tcpwrappers :-) It's decided and done.)

>>>Ericw
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux