CSAM: Web Honeypot Logs

Published: 2013-10-03
Last Updated: 2013-10-03 19:10:02 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today's logs come from a honeypot. The fun part about honeypots is that you don't have to worry about filtering out "normal" logs. Usually I check the honeypot for anything new and interesting first, then look on my real web server to figure out if I see similar attacks. In the real web server, these attack would otherwise drown in the noise.

SSL Conection to a web server not supporting SSL

Invalid method in request \x80w\x01\x03\x01

The first few bytes of the request are interpreted as the method of the request. If SSL is used by the client, but the server "doesn't get it", then the server will just log the first few bytes of the SSL message. In this case, this was \x80w\x01\x03\x01

Odd URLs

File does not exist: /var/www/HNAP1

Frequently you will find attack scripts that try to "hunt" for a particular vulnerability, wether or not you even have the application installed. This is in part behind our 404 project. Above, the attacker looked for "HNAP1", which appears to be vulnerable in some routers (see http://www.cathaycenturies.com/blog/?p=643 for more details about this particular vulnerability.

Odd User Agents

Mozilla/3.0 (compatible; Indy Library)
Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij

The first one "Indy Libary" is a standard library used in many web attack tools. The second one is old favorite nmap and the last one is Havij, a script kiddie SQL injection tool (not seeing it as much as I used to). In pretty much all cases it is easy to change the user agent, but most attackers don't bother to.

Sometimes the user agent string itself is the attack. like in this log:

"GET /rssfeed.xml HTTP/1.1" 200 5162 "-" "><script>alert('XSSUserAgent')</script>" "-"

The attacker may hope that the user agent is echoed back to the administrator as part of an admin interface.

Standard SQL Injection Strings

GET /diary.php?storyid=999999.9+union+all+select+0x31303235343830303536--
GET /diary.php?storyid=1480%27
GET /diary.php?storyid=1480+and+1%3D1

Many SQL injection attack tools use similar techniques. The examples above are from Havij. Typically the attacker will try to insted single quotes (%27) or try to issue UNION requests with random parameters to be able to identify any data that may come back. For the union requests, you will see the attack starting with one column and work its way up as the attacker attempts to figure out how many columns your query returns.

Cross Site Scripting

here is a typical XSS attempt:

GET /diary.html?storyid=\"><script>alert(13377331)</script> HTTP/1.0"

Not much obfuscation here. Just a pretty plain XSS attempt. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 comment(s)


Diary Archives