Honeypot Compromises
Just a quick update on the status of our honeypots. Currently, we have amongst other honeypots one virtual honeynet with three honeypots:
Jan Göbel maintains this honeynet as part of his diploma thesis. In April 2006 we had two compromises on these systems:
Since several other web applications are running on the Linux-based honeypots, I expect some further compromises in the near future. It seems like web apps are currently one of the easiest ways to compromise a network infrastructure...
Together with Simon Marechal and Frederic Raynal I wrote an article entitled New Threats and Attacks on the World Wide Web that talks about attack trends against these systems.
Abstract:
Ten years ago, very few networks had a firewall; today, they're ubiquitous. The newest target is the workstation: client-side attacks have increased because direct attacks on servers aren't so easy anymore. Moreover, as new defenses are raised, information flows are increasingly embedded into Web applications, making them extremely valuable as well, and, thus, the next target. This article describes some of these new threats.
- Windows XP SP 2 with open share
- SuSE 9.1 with MySQL, Apache 2.0.49 and several web applications
- Red Hat 8.0 with good ol' Wu-FTPd 2.6.0 and a world-writeable directory
Jan Göbel maintains this honeynet as part of his diploma thesis. In April 2006 we had two compromises on these systems:
- SSH brute-force attack due to weak password: The adversary got shell access and after local priviledge escalation, he downloaded additional SSH brute-forcer and tried to compromise further hosts. Several other tools could be retrieved by a further analysis.
- Compromise through Horde web application: A vulnerable Horde installation was compromised and an IRC bouncer installed. The honeypot is still online, let's see what happens further...
Since several other web applications are running on the Linux-based honeypots, I expect some further compromises in the near future. It seems like web apps are currently one of the easiest ways to compromise a network infrastructure...
Together with Simon Marechal and Frederic Raynal I wrote an article entitled New Threats and Attacks on the World Wide Web that talks about attack trends against these systems.
Abstract:
Ten years ago, very few networks had a firewall; today, they're ubiquitous. The newest target is the workstation: client-side attacks have increased because direct attacks on servers aren't so easy anymore. Moreover, as new defenses are raised, information flows are increasingly embedded into Web applications, making them extremely valuable as well, and, thus, the next target. This article describes some of these new threats.
@article{Holz:2006:NTA,
author = {Thorsten Holz and Simon Marechal and Frederic Raynal},
title = {New Threats and Attacks on the World Wide Web},
year = {2006},
journal = {IEEE Security \& Privacy},
volume = {4},
number = {2},
pages = {72--75},
}
".
