Feeds:
Posts
Comments

Archive for May, 2010

Hi,
I’m back again after being sick for a few days (more than I expected) so I’m sorry but I have no chance to write a single post.

Today I would like to share with you my first impressions about glastopf.  Glastopf is a truly interesting honeypot project but I wasn´t sure that it would report any attack because I thought that my honeypot server wasn´t interesting enough for hackers (even though Glastopf uses a Google dork list to provide more attack vectors).

According to the logs PHPMyAdmin is an interesting target. The attacker tried to get access to the following:

  • /phpMyAdmin/scripts/setup.php
  • /phpmyadmin/scripts/setup.php
  • /phpmyadmin/config/config.inc.php?p=phpinfo();
  • /pma/config/config.inc.php?p=phpinfo();
  • /phpmyadmin/config/config.inc.php?p=phpinfo();
  • /php-my-admin/config/config.inc.php?p=phpinfo();
  • /phpMyAdmin/config/config.inc.php?p=phpinfo();

I will keep watching the logs and I will inform you of any interesting attack.  I recommend you to read Andrew Waite’s post about glastopf.

P.S: Spanish is my mother tongue so forgive me for my mistakes!

Advertisements

Read Full Post »

Hi!

According to my Amun logs, the most exploited vulnerabilties are DCOM and MS08-067 so I’ve decided to change my honeypot’s configuration file (amun.conf).

I’ve forced my honeypot to look like a Windows machine and so I’ve disabled all but the following vuln_modules:

  • vuln-ms08067
  • vuln-dcom
  • vuln-lsass

Now only ports 80 (glastopf), 135 and 445 (amun) are opened to the public.

Amun has succesfully downloaded 39 malware files in 6 days, and this is my first analysis:

  • 70% of the malware has its origin in a DCOM vulnerability.
  • 66% of the malware is detected as a virus by Clam Antivirus.
  • Trojan SDBot is the most frequent malware found, followed by W32-Virut.
  • According to my logs, the three leading countries (malware source) are: France, United States and Ukraine.

I am really having fun with Amun!

Read Full Post »

Now that Amun is running and collecting malware, it’s time for Glastopf to emulate web application vulnerabilities. Developed by Lukas Rist, Glastopf collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks.

It is very easy to install and configure following the instructions available in Glastopf’s wiki. I am trying to write an init.d script but right now my Debian machine is running Glastopf and I will see how it behaves.

Happy week-end!

Read Full Post »

Amun Statistics

Andrew Waite from Infosanity.co.uk has developed several useful scripts to generate statistics for Honeyd and Nepenthes. I have developed amun_submissions_stats.py to generate similar statistics for Amun Honeypot, you can download it from here

I am not a good python developer so I’ve done my best to modify Andrew’s script for Nepenthes (submissions2stats.py). Here is a sample output from my honeypot:

script_sample

In order to use it correctly you will need Python GeoIP library (apt-get install python-geoip). I will improve it in the next weeks. If you find any error or you find it useful, your post will be welcomed! 🙂

Updated: Follow these instructions if you want to keep GeoIP database updated

Updated: PDF was not a good storage option for this script, so now Andrew Waite is hosting the file (Thanks!)

Read Full Post »

Installing Amun Honeypot is quite straightforward. In my case I am using a Debian Lenny 5.0 box as a honeypot. I followed this simple steps:

  1. Download Amun Honeypot from Sourceforge.net
  2. Move amun-v0.1.9.tar.gz to a directory (in my case I have used /opt)
  3. Unzip the file using tar xvfz amun-v0.1.9.tar.gz
  4. Get into /opt/amun
  5. Be sure to install Python and Python Psyco before starting the service (apt-get install python python-psyco)
  6. Start the service with ./amun_server.py and you’re done!

If you want to create a service to start or stop Amun I have written an init script for Debian that you can download. Don’t forget to change its permissions with chmod 755 /etc/init.d/amun and install it with update-rc.d amun defaults

Read Full Post »

After reading Jan Göbel’s technical report about Amun Honeypot I was so impressed that I decided to test it immediately in my lab at home.

I am very interested on honeypots and in my opinion Amun is a great tool for those who want to develop new vulnerabilities thanks to its modular design. Amun allows you to emulate new vulnerable services using XML files which are converted to python code.

I recommend you to read the technical report and I will share with you my own experiences as a newbie. Happy honeypotting!

Read Full Post »