Message Board

Installing Honey Pots

Older Posts ]   [ Newer Posts ]
 honeypot names
Author: D.Morgan4   (30 Mar 10 5:13pm)
is it ok to name my honeypot 'prx2.php' or would that cause problems
(currently getting lots of '404's from proxey sniffers lookingfor prx2.php?some long hash)
 
 Re: honeypot names
Author: A.Degives Mas   (20 Apr 10 5:22am)
Not sure why you think that's a problem, but when you register your script you can choose between a preselected name or one that you pick yourself, here:

http://projecthoneypot.org/manage_honey_pots.php

Perhaps what you're thinking is that by picking a name that gets a lot of traffic you'll get more exposure of your script to the baddies, but I suspect that's only marginally true in your case, as proxy sniffers usually don't care much about the content of a page (script generated or not) but rather look for a specific server response.

So, putting a page there generated by your honeypot will get a bunch of hits, but unless those sniffers after finding your page there go and "tip off" some unsavory email address scraping buddies, I don't think you'll necessarily boost your chances of making a good catch.

The trick is to embed links to your script surreptitiously throughout your site, and then let "regular" page scrapers trip straight into your honeypot. Like hard-core old-school fishing, it's a game of patience. Lots of it.
 
 Re: honeypot names
Author: L.King   (20 Apr 10 8:37am)
Good thought, but I would suggest that the probes you are getting on 'prx2.php' are transitory. The last 2 days spiders have been looking for 'Joomla' files. They seem to not be looking for SQL files anymore.

On the other hand, my honeypot still is getting one or two visits a day from the links hidden in my normal html pages. (or links in others pages).

Post Edited (20 Apr 10 8:38am)
 
 Re: honeypot names
Author: D.Morgan4   (20 Apr 10 5:32pm)
I was just looking at ways of reducing the amount of false 404 errors cluttering up my logs.

the fishing for other php files (webmin, etc.) is no problem, that is why I have fail2ban installed :-)

I ended up writing my own prx2.php that does a 301 re-direct to 127.0.0.1 ... unless someone has a better idea where to send them ...

Dave

Post Edited (20 Apr 10 5:35pm)



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–17, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email