Message Board

Newbie/Basic Questions

PHPot against "GET /*/*.php attacks?

Author: T.Wennekers (18 Jun 07 8:38am)

Hi

I installed a honeypot a couple of days ago. For a second or so I thought it might be a good idea to put links in those files frequently targeted by attackers like
mysql/main.php
phpmyadmin/main.php
... see your server logs for more ...

However, attacks to those sites would hardly be to harvest email addresses and therefore would not be exploitable by PHPot within the standard approach.

Nonetheless: Everybody attacking these locations from outside is almost certainly a possible intruder with a very low false alarm rate; most of these files and services I (as others) haven't even installed ...

Wouldn't it make sense for Projekt Honeypot to also collect information from (specialised) scripts waiting for the bad boyz in these locations? After all, every cracked server is a potential spam mailer.

Best wishes
Thomas

Re: PHPot against "GET /*/*.php attacks?

Author: M.Prince (20 Jun 07 12:45pm)

Assuming you're unlikely to have any human visitors mistyping your URLs, it probably can't hurt to point *.php pages at your honey pot. Just visiting the honey pot will get an IP in our database. If the IP hits enough distinct honey pots in a short enough period of time, we will mark it suspicious.

Along similar lines, one of the alpha features of the http:BL Apache module that we're playing with is a way to allow web admins to automatically report the 404s they receive back to Project Honey Pot. Our thought was, similar to yours, that we could find the IPs that were looking for exploits. Gathering that data and sharing it can keep malicious computers off sites.

Thanks for your help!