Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Webhoneypot fun - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Webhoneypot fun

37 days ago the DShield webhoneypot project released the first Alpha of the code.  I hadn't really had much time to play with it yet, but one of our readers had a challenge with his submissions, so I figured I'd better get my hands dirty.   Another reason is that there does seem to be a lot of malicious web traffic around at the moment and I wanted to grab some of it. 

So here is a quick run down of my webhoneypot experience.  

Firstly I logged into DShield and under "My Information"  I entered the Honeypot URL and ticked the "Honeypot is Active" button.

Next to grab the code.  The code is hosted on Google and can be obtained here    The site has install information and several releases are available, the raw code, a debian package and a Mac OS X package.   Looking at the install instructions I decided to go with the debian package.   (Now before you chuckle it was because I only had about 15 minutes or so to get it done and like many time poor people I like shortcuts.  It was not because the install instructions are not good.  In fact quite the opposite.)

So I built a new Debian 5 VM on a virtualbox which was straight forward.  I only installed a very minimal system with Apache, and PHP5  About 10 minutes gone.  

After grabbing the deb file I installed it using the "Installation with a Debian Package" instructions,  which took about 3 seconds or so.   It asks you what port number you would like to use, sets up the relevant start jobs etc.  In short it does pretty much everything for you.  Once you have completed this step you have a honeypot running on the machine and all you need to do is change the /opt/webhoneypot/etc/config.local file and enter your DShield userid (which will be your email address) and password in the file (the userid=yourdshieldemailaddress  and password=thepasswordfortheuserid   do not use " )  

The final step after this is was to open a browser and go to the web page.  When you hit the page you will get a message along the lines of "Check logfile for hashpassword".   This basically verifies that you have successfully connected to DShield.  You replace the password=thepasswordfortheuserid  line   with the hashpassword=738abc..... parameter from the log file and you are good to go. 

Revisit the web page with, for example, a robots.txt request and you will get a response.  When you look in the log file /opt/webhoneypot/logs/honey.... file  you will see an entry along the lines of  timestamp  IP-Address Delivered Template 123 .  If you see that, the log line was delivered (123 is just an example you will see different numbers).

Log into  DShield again and under the "My Weblogs" tag you should see your test log entries.  For example: 

Time

URL

Source

Target

11:11:33

GET /robots.txt HTTP/1.1

192.168.22.10

202.999.999.24

11:14:29

GET /robots.txt HTTP/1.1

192.168.22.10

202.999.999.24

11:12:36

GET /i.php?page=http://204.2.183.2/babycaleb/picture.htm? HTTP/1.1

192.168.22.10

202.999.999.24

Total time taken, twenty minutes.  Ten minutes to install an OS onto the VM and five minutes or so because I borked my VM's network connection.  A final five minutes to install and configure the Honeypot.  

The guys on the team have done a great job.  If you have a spare IP this is a great way to contribute.  Give it a go. 

Mark H - Shearwater 

For those of you that are students and think Honeypots might be something you are interested in, then check out the Honeynet Project Google Summer of Code page http://www.honeynet.org/gsoc .  

Mark

392 Posts
ISC Handler
Thanks for the quick start guide. I've been meaning to set up a webhoneypot for a couple of weeks, but this encouraged me to get off my bum and do it. 20 mins is no joke.. very easy!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!