Web-based Honeypot Decoys: Results I
Tuesday, May 1. 2007
With the help of the web-based honeypot developed by Michael Müter for his thesis, we collect information about attacks against web applications. The current setup consists of four web applications that were turned into a honeypot (PHP-Nuke, phpMyAdmin, PHP Shell and phpBB). Commonly, web applications are found by an attacker with the help of search engines as the data below shows. It seems like this type of Google Hacking is quite popular amongst attackers. These numbers are based on a period of about four months (January - April 2007):
Traffic:
Total Hits: 11606 [100%]
Number of Distinct Source IPs: 1305
Total Web Spiders: 7279 [62.72%]
Referrer was set: 3414 [29.42%]
Referrer was obstructed: 8192 [70.58%]
Proxy detected: 714 [6.15%]
Search engines detected in HTTP referrer:
Google: 645 Hits [98.02%]
Yahoo: 5 Hits [0.76%]
Altavista: 4 Hits [0.61%]
msn.com: 4 Hits [0.61%]
Most popular http-referrer:
http://www.google.com/search?q="create the Super User" "now by clicking here" : 62 [9.42%]
http://www.google.com/search?q=inurl:phpmyadmin&hl=en&safe=off&start=10&sa=N : 6 [0.91%]
http://www.google.it/search?hl=it&q=allinurl:phpnuke/modules.php?name=Search&btnG=Cerca con Google&meta= : 5 [0.76%]
http://www.google.co.id/search?q=allinurl:.org/phpmyadmin/&hl=id&client=firefox-a&rls=org.mozilla:en-US:offic
ial&start=10&sa=N : 4 [0.61%]
http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&q=powered php nuke&stq=10 : 4 [0.61%]
http://www.google.com.tr/search?q=powered by phpnuke&hl=tr&start=10&sa=N : 4 [0.61%]
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GFRC,GFRC:2007-05,GFRC:en&q=php nuke remove news : 4 [0.61%]
http://www.google.com/search?hl=en&q="create the Super User" "now by clicking here"&btnG=Search : 4 [0.61%]
http://www.google.it/search?hl=it&q=allinurl:phpnuke/modules.php?name=Search&btnG=Cerca&meta= : 3 [0.46%]
Traffic:
Total Hits: 11606 [100%]
Number of Distinct Source IPs: 1305
Total Web Spiders: 7279 [62.72%]
Referrer was set: 3414 [29.42%]
Referrer was obstructed: 8192 [70.58%]
Proxy detected: 714 [6.15%]
Search engines detected in HTTP referrer:
Google: 645 Hits [98.02%]
Yahoo: 5 Hits [0.76%]
Altavista: 4 Hits [0.61%]
msn.com: 4 Hits [0.61%]
Most popular http-referrer:
http://www.google.com/search?q="create the Super User" "now by clicking here" : 62 [9.42%]
http://www.google.com/search?q=inurl:phpmyadmin&hl=en&safe=off&start=10&sa=N : 6 [0.91%]
http://www.google.it/search?hl=it&q=allinurl:phpnuke/modules.php?name=Search&btnG=Cerca con Google&meta= : 5 [0.76%]
http://www.google.co.id/search?q=allinurl:.org/phpmyadmin/&hl=id&client=firefox-a&rls=org.mozilla:en-US:offic
ial&start=10&sa=N : 4 [0.61%]
http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&q=powered php nuke&stq=10 : 4 [0.61%]
http://www.google.com.tr/search?q=powered by phpnuke&hl=tr&start=10&sa=N : 4 [0.61%]
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GFRC,GFRC:2007-05,GFRC:en&q=php nuke remove news : 4 [0.61%]
http://www.google.com/search?hl=en&q="create the Super User" "now by clicking here"&btnG=Search : 4 [0.61%]
http://www.google.it/search?hl=it&q=allinurl:phpnuke/modules.php?name=Search&btnG=Cerca&meta= : 3 [0.46%]
".
