In the last couple of months I’ve been helping out with the webhoneypot project. From the Google code website:
DShield.org is offering this honeypot for users to capture automated web application exploits. It is a very simple "semi interactive" honeypot implemented in PHP.
The core idea is the following:
- you install it on a webserver and configure it such that all requests are routed to a single file (index.php). This can be done with something like mod_rewrite or mod_alias for Apache and similar methods for other webservers (nginx for example has a built-in rewrite statement)
- URL’s of “vulnerable looking” web applications are served up to spiders.
- When a URL is accessed, it is matched against a set of regular expressions and, depending on which regex matches the longest part from the string, a static file is served up. The request is captured and sent to SANS in the background
If you want to play with it, here are a couple of resources:
- The Google Code site, including the source repository (currently it is recommended to run the SVN trunk, until we get some stable releases out)
- The Webhoneypot Google site
- The #webhoneypot channel on irc.freenode.net
An automatic update mechanism for the templates is in the works, however it is not working yet. The documentation is also a little out of date, but we are working hard on refreshing it. In the future we will probably include some more emulation (the idea was taken from the Glastopf project) to elicit responses from automated RFI/LFI scanning bots. Also look forward to a tutorial on how to run it on routers running OpenWrt.
Picture taken from Tavallai’s photostream with permission.