Summarized Honeypot Compromises
Wednesday, August 30. 2006
The last blog postings described several honeypot compromises in more detail. In total, there were seven honeypot compromises in the first half of 2006 (diploma thesis of Jan Göbel). The following table summarizes these incidents, together with a brief description of each compromise:
The attack vectors used to compromise these honeypots were either weak passwords (SSH brute force scans) or vulnerable web applications. So none of the vulnerabilities present in these rather old Linux distributions were used. In the future, we will examine the threat posed by web applications in more detail, mainly focussing on phpMyAdmin and XMLRPC. So stay tuned for further reports :-)
| Operating System | Vulnerability used | Actions | |
|---|---|---|---|
| 1 | Red Hat 8.0 | weak password | SSH scans |
| 2 | Suse 9.1 | web application | IRC proxy installation |
| 3 | Red Hat 8.0 | web application | phishing / scanning |
| 4 | Suse 9.1 | web application | phishing |
| 5 | Red Hat .0 | weak password | user-space IRC bot | 6 | Red Hat 8.0 | weak password | phishing |
| 7 | Suse 9.1 | web application | none |
The attack vectors used to compromise these honeypots were either weak passwords (SSH brute force scans) or vulnerable web applications. So none of the vulnerabilities present in these rather old Linux distributions were used. In the future, we will examine the threat posed by web applications in more detail, mainly focussing on phpMyAdmin and XMLRPC. So stay tuned for further reports :-)
".
