The development of the webhoneypot is back in swing again. We are aiming for the date of May the 15th as the release date for a beta version. A cool new feature which got committed recently is the possibility to “emulate” RFI vulnerabilities.
How does it work (idea taken from the glastopf project):
- When a possible RFI attempt has been found, the respective file is fetched
- The file is parsed line-by-line and if certain patterns are recognized, predefined text is outputted.
This method is based on the observation that most (automated) RFI attempts begin by inserting a basic script to output system information (like the OS version, PHP version, etc). The emulation tries to find these cases and output something realistically looking enough so that the next stage of the RFI is triggered.
What do you need?
Activating the emulation is rather straight forward – you only need to add the following two lines in your config.local file:
The prerequisites for it to function are: (a) the webserver has to have the possibility to make outbund connections and (b) one of the following methods of fetching remote files with PHP needs to be activate: the curl extension, allow_url_fopen or sockets.
Warning! Allowing outbound connections from the webserver lessens its security considerably, so you only should do it on test machines.
PS. A bonus tip: if you set loglevel to at least the value of 4, all requests are written to your logfile, in addition to it being sent to SANS. This can be useful if you yourself are interested in the attempts of the “bad guys” to compromise your security.
Picture taken from Cyron’s photostream with permission.