< Damage by Botnets | Web-based Honeypot Decoys: Results II >

Web-based Honeypot Decoys: Results I

With the help of the web-based honeypot developed by Michael Müter for his thesis, we collect information about attacks against web applications. The current setup consists of four web applications that were turned into a honeypot (PHP-Nuke, phpMyAdmin, PHP Shell and phpBB). Commonly, web applications are found by an attacker with the help of search engines as the data below shows. It seems like this type of Google Hacking is quite popular amongst attackers. These numbers are based on a period of about four months (January - April 2007):

Traffic:
Total Hits: 11606 [100%]
Number of Distinct Source IPs: 1305

Total Web Spiders: 7279 [62.72%]

Referrer was set: 3414 [29.42%]
Referrer was obstructed: 8192 [70.58%]
Proxy detected: 714 [6.15%]

Search engines detected in HTTP referrer:
Google: 645 Hits [98.02%]
Yahoo: 5 Hits [0.76%]
Altavista: 4 Hits [0.61%]
msn.com: 4 Hits [0.61%]

Most popular http-referrer:
http://www.google.com/search?q="create the Super User" "now by clicking here" : 62 [9.42%]
http://www.google.com/search?q=inurl:phpmyadmin&hl=en&safe=off&start=10&sa=N : 6 [0.91%]
http://www.google.it/search?hl=it&q=allinurl:phpnuke/modules.php?name=Search&btnG=Cerca con Google&meta= : 5 [0.76%]
http://www.google.co.id/search?q=allinurl:.org/phpmyadmin/&hl=id&client=firefox-a&rls=org.mozilla:en-US:offic
ial&start=10&sa=N : 4 [0.61%]
http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&q=powered php nuke&stq=10 : 4 [0.61%]
http://www.google.com.tr/search?q=powered by phpnuke&hl=tr&start=10&sa=N : 4 [0.61%]
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GFRC,GFRC:2007-05,GFRC:en&q=php nuke remove news : 4 [0.61%]
http://www.google.com/search?hl=en&q="create the Super User" "now by clicking here"&btnG=Search : 4 [0.61%]
http://www.google.it/search?hl=it&q=allinurl:phpnuke/modules.php?name=Search&btnG=Cerca&meta= : 3 [0.46%]
This entry was posted by Thorsten Holz on Tuesday, May 1. 2007 at 09:04. and is filed under honeynets. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. John Moore says:
    #1 2007-05-02 02:19 (Reply)

    It was quite a nice thesis. I read most of it last night. I noticed that the Google search engine can be used as well to find systems that are currently compromised with the r57shell 1.31. It evidently has overtaken the c99shell.php as the preferred remote administration tool for a compromised LAMP server. Will this honeypot be available as a service or a product in the future? He didn't really compare it with Oudot's PHP honeypot that probably isn't as versatile in its functionality as Muter's is.

  2. Thorsten Holz says:
    #1.1 2007-05-02 08:09 (Reply)

    The complete toolkit will presumably be released in the near future, so stay tuned.
    Laurent is not actively developing his PHP.Hop anymore and some of the ideas have merged into GHH. Our toolkit takes an orthogonal approach: instead of emulating a web app, we turn a web app into a honeypot in a generic way.

  3. Jamie Riden says:
    #2 2007-05-05 15:03 (Reply)

    You are correct in that Michael's project is more flexible than Laurent's - the former is high-interaction and the latter is low-interaction. I've just grabbed the thesis now and looking forward to reading it.

    cheers,
    Jamie


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.