Incident Analysis of Compromised OpenBSD 3.0 Honeypot

A Background Check

After performing a background check on the hacker's domain at, it was a pleasant suprise to see that there was an old cached page of the hacker's domain that contained even more information than the one currently up.

On the cached page there was a publicly displayed FTP login for music on the hacker's server, so I decided since it was apparently intended to be public it wouldn't be too unethical to check it out.

Now... the part that would probably put the nail in the coffin in court if this hacker was prosecuted is coming up... While logged in the public 'music account', I found that the 'music' user was not chrooted in its home directory so I took a small peak around the hacker's system to stumble upon the exploit used to hack the honeypot right in the hacker's ~/dl/exploits/ directory. Also in the ~/dl/ directory was the newnick.tar.gz file he was trying so hard to retrieve. I decided to download it for investigation and found out it was nothing more than a simple IRC bot intended for EF-Net. A few log/output files from various other scans the hacker was performing via nmap/other scanning tools were also in the hacker's home directory.

I wouldn't have been suprised if the music account would have also allowed for a shell into the computer to execute a local root exploit, to turn the tables and 'hack the hacker', however this was not tried (obviously), as it's out of the scope of running a honeypot (oh, and against the law!).

After reviewing the websites of the two hackers it's clear they are friends with each other. One must have notified the other, who then joined in to help with the difficult process of backdooring a honeypot that's waiting to get backdoored and downloading an IRC bot script when FTP access was specifically made available. Apparently even for two script kiddies the task was just too much to handle.

Note: With the nature of this honeypot, being that it only exists with two ports being forwarded to it, it makes it almost impossible for a hacker to install a back door on it anyway due to the new ports being unreachable from the internet. Unfortunately, in the case of these two boys they could not even get so far as to learn that.