Help with debug mode needed
Eric Wedaa
Eric.Wedaa at marist.edu
Thu May 21 10:24:05 AEST 2015
All;
I'm working on an ssh honeypot to analyze botnets, and I'm trying to find the chunk of code that specifies the following (like in Kippo)
TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] outgoing: aes128-ctr hmac-sha1 none
TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] incoming: aes128-ctr hmac-sha1 none
I was able to find the section in sshd.c where I can log the client name and port,
and the section in auth.c where the password is cleartext, but I have no idea what I'm really looking for for finding the protocols.
I honestly have no idea where I should really be looking. If somebody can point me in the right direction (or send a code fragment) I'd really appreciate it. I'll post a link back to the mailing list of where everyone else can find the completed code if I get some help.
(BTW: It's live already at http://longtail.it.marist.edu and I've already found and/or analyzed 9 botnets. Having better information on who's attacking will make it easier I hope to bunch them all together).
(And no, I'm not rising to the bait about tcpwrappers :-) It's decided and done.)
>>>Ericw
More information about the openssh-unix-dev
mailing list