< MS06-040 and Related Malware | MS06-040 Update >

Honeypot Compromises I

Some time ago I blogged about several compromises at our honeypots deployed in Germany. Now it is time for an update and a closer look at what happened during these incidents. Today we will take a closer look at the compromise of a Suse 9.1 honeypot with a vulnerable Horde Framework. The attacked installed several scripts on the honeypot and also tried to set up a phishing web site.

Motivation:
On May 5th 2006 our Suse 9.1 based Honeypot was attacked and successfully compromised by exploiting a vulnerable web application, the Horde Application Framework. The vulnerability could be exploited by a remote attacker to execute arbitrary commands with the privileges of the running Apache webserver process. This flaw is due to an input validation error in the help viewer of the application. The vulnerability was first discovered in March 2006 and affects all Horde Application Framework versions prior to 3.1.1.

The full analysis was written by Jan Göbel during his thesis work.
This entry was posted by Thorsten Holz on Tuesday, August 15. 2006 at 11:25. and is filed under honeynets. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.