Nigel Wade wrote:
Why? I would be very surprised if it was. It requires infected files to be manually transferred from system to system.
The attackers might have used shell access on compromised machine as a platform to lunch attack to his local network. Or even the automated tools they uploaded/installed on the compromised machine might have done that. It is classic approach. The attacker gets access to single machine. Then he tries to see what else is reachable from it.
That is why when setting honney pot machine, it must be on physically separate network segment, completely cut off from any other network by firewall.
Daniel's (Daniel was OP, right?) reasoning was "they can't do much harm if all they got is user-level shell access". My guess is Daniel already realized how wrong his reasoning was. You can do lot of nasty things with user-level shell access.
An analogy would be letting a thief into your house, and locking him in the room. There's a locked cabinet with some valuables inside that room. However, your room doors, and lock on the cabinet are certanly no match to your front door. It is so much easier for thief to get the stuff from locked cabinet (root access) and move to other rooms (machines on local network), once he is already inside the house. To continue with the analogy, honey pot machines are completely separate houses. They are not rooms inside your house.
Moral of the story (which would be this thread): kids, don't do this at home.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7