Honeypots mailing list archives
Re: Google Hack Honeypot v1.0 is released!
From: Ryan McGeehan <rmcgeeha () students depaul edu>
Date: Tue, 15 Feb 2005 13:52:29 -0600
"Are you putting up handcrafted webpages that match the criteria identified in a GHDB signature, and render them using PHP for logging purposes?"
Yes, GHH outputs the HTML to match a GHDB signature. GHH then logs the headers sent by the browser such as the referrer, and runs some logic to determine what search engine and what query were used to find the honeypot. The logs reflect what obvious tactics were used, such as an exact match from the GHDB database.
"Who do you want to capture, and to what depth do you emulate the vulnerable app?"
The 7 GHH honeypots released are considered low interaction honeypots. For higher interaction honeypots, (for example a dummy PHP Shell that logs the commands used), we are currently throwing ideas around and are hoping others will become involved to develop and make suggestions.
"I mean, what I'd do if I wanted to exploit a vulnerability for which I can find exploitable sites via a search engine is script up some Perl to harvest the hits and then go off and nail them one by one. "
When your script hit GHH, it wouldn't comprimise anything and your attack would be logged, with the search engine you used and the query you used too.
"If you want to find out whether someone found you using a search engine, then any hidden-ish page that resides in an untypical location and matches the signature critera will do and it doesn't really matter whether the webpage actually looks like the vulnerable app."
So what happens when the attacker uses Google's cached feature to see if it's the real thing? They will be able to check the HTML and fingerprint the honeypot if it's poorly made. Our tool isn't foolproof but we've covered that step.
"What do those pages look like in GHH? It would be helpful if you could give examples on your site."
You're right, it would be helpful and we'll get it done soon."How about you automatically create the pages from the GHDB signatures? That would be much more interesting imho."
If you can figure out a way to do that without being instantly fingerprinted, then that would simply rock.
Thanks a lot for the comments :)
Current thread:
- Google Hack Honeypot v1.0 is released! Ryan McGeehan (Feb 14)
- Re: Google Hack Honeypot v1.0 is released! Christian Kreibich (Feb 15)
- Re: Google Hack Honeypot v1.0 is released! Andrew Smith (Feb 15)
- <Possible follow-ups>
- Re: Google Hack Honeypot v1.0 is released! Ryan McGeehan (Feb 15)
- Re: Google Hack Honeypot v1.0 is released! Christian Kreibich (Feb 15)
- Re: Google Hack Honeypot v1.0 is released! Christian Kreibich (Feb 15)