Webhoneypot


3319204751_0528531c5c_oIn the last couple of months I’ve been helping out with the webhoneypot project.  From the Google code website:

DShield.org is offering this honeypot for users to capture automated web application exploits. It is a very simple "semi interactive" honeypot implemented in PHP.

The core idea is the following:

  • you install it on a webserver and configure it such that all requests are routed to a single file (index.php). This can be done with something like mod_rewrite or mod_alias for Apache and similar methods for other webservers (nginx for example has a built-in rewrite statement)
  • URL’s of “vulnerable looking” web applications are served up to spiders.
  • When a URL is accessed, it is matched against a set of regular expressions and, depending on which regex matches the longest part from the string, a static file is served up. The request is captured and sent to SANS in the background

If you want to play with it, here are a couple of resources:

An automatic update mechanism for the templates is in the works, however it is not working yet. The documentation is also a little out of date, but we are working hard on refreshing it. In the future we will probably include some more emulation (the idea was taken from the Glastopf project) to elicit responses from automated RFI/LFI scanning bots. Also look forward to a tutorial on how to run it on routers running OpenWrt.

Picture taken from Tavallai’s photostream with permission.

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *