Message Board

Bugs & Development

Older Posts ]   [ Newer Posts ]
 PHP include exploit
Author: J.Stevens4   (20 Apr 08 6:20pm)
After seeing quite a few attacks for PHP based include vulnerabilities showing up in my logs I decided to install the PHP Honeypot from http://www.digitaldawgpound.org/nick84/post=113

I've done some tweaks to the code to store the hack attempts in a mysql database. You can view my hacker log at http://www.fluoromoly.com/honey/code/hackers_view.php

I'm planning to do a bit more coding on this to make it better and more user friendly. However, i'm wondering if Project Honey Pot has any plans to add this type of monitoring to its code??
 
 Re: PHP include exploit
Author: W.Waisse   (30 Mar 09 10:23pm)
I d love that projecthoneypot add this kind of feature . . .

I m currently detecting them with some kind of awful regexp like :

/mylogwatch.sh | grep -e '=http' -e'=ftp' -e'babycaleb' | grep -v 'images.google' | grep -v 'piwik.php' | grep -v 'dewplayer' | grep -v 'translate' | grep -v 'piwik'

the regexp is awful but detects thousands of hits of this kind each day . . . without dropping hundreds of ip adresses each day my servers would be overloaded.

I call this log spamming or bandwidth spamming ;(

It would be great that projecthoneypot gives something ( better than my awful regexp ;) to detect them and add this data to the projecthoneypot http:bl
 
 Re: PHP include exploit
Author: G.Pine   (3 Apr 09 5:27pm)
Mmm nice! I just joined Honeypot. I'd love to see this functionality available. Currently I just pour through my visitor logs trying to manually figure out where they're from and what they're doing (I suck at coding -- so inclusion of such a feature would be a nice benefit).
 
 Re: PHP include exploit
Author: H.Chestwig   (6 Apr 09 10:27am)
<laughs> Well, it's more properly the job of isc.sans.org, but if ProjectHoneypot has the resources to track the skiddies & botnets as well as spammers, more power to them!

Don't forget though, roughly 50% of these attacks are coming from people's subverted home PCs that are part of one of the botnets, and they have NO clue that they're infected. The other half are coming from toxic servers in various countries. A lot of the botnets are running old data (the domains that the 'babycaleb' attacks try to include from are all dead) so they're already effectively neutered.

I was tracking them for a while, but my logs were getting so large that I finally gave up and simply blocked them all on our shared Apache host with some simple & elegant .htaccess code that I'd found and cobbled together. All of their attacks now drop into the bit bucket.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–25, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email