Summarized Honeypot Compromises

The last blog postings described several honeypot compromises in more detail. In total, there were seven honeypot compromises in the first half of 2006 (diploma thesis of Jan Göbel). The following table summarizes these incidents, together with a brief description of each compromise:

Operating SystemVulnerability usedActions
1Red Hat 8.0weak passwordSSH scans
2Suse 9.1web applicationIRC proxy installation
3Red Hat 8.0web applicationphishing / scanning
4Suse 9.1web applicationphishing
5Red Hat .0weak passworduser-space IRC bot
6Red Hat 8.0weak passwordphishing
7Suse 9.1web applicationnone


The attack vectors used to compromise these honeypots were either weak passwords (SSH brute force scans) or vulnerable web applications. So none of the vulnerabilities present in these rather old Linux distributions were used. In the future, we will examine the threat posed by web applications in more detail, mainly focussing on phpMyAdmin and XMLRPC. So stay tuned for further reports :-)

Trackbacks

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Jim Voorhees says:

    Fascinating. You would think that the OS vulnerabilities would be the low-hanging fruit. But no, it seems to be at the application layer and "Layer 8." Why? Are OS's in general becoming secure enough that the bad guys have to look elsewhere? Or has the switch in the bad-guys' motives from glory to gold led them to focus their attacks on web-sites? Is there more money to be had there?

  2. Thorsten Holz says:

    I think we still see the OS vulnerabilities (I should blog more about MS06-040...), but these vulnerabilities are more used in the area of bots & botnets. This is also a lucrative area - with bots an attacker can easily make a couple of hundred dollar..

    For semi-automated or manual attacks I think we see the shift towards application layer and "Layer 8". This is where attackers can also make some money, at least phishing and other kind of social enginerring seem to be attractive.


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
Submitted comments will be subject to moderation before being displayed.