Lately, I have been writing new labs for an update version of my DEV 422 Defending web app course. One of the labs is about log analysis, so naturally, I would want to get some really cool and neat logs for my students. As some of you may know, I help run the Web honeypot project so I have access to tons of logs but it would be much more interesting to see logs from real systems and real compromise.

I decided to setup my high interaction honeypot using a real system and lots of monitoring and limiting outbound control. My platform of choice? Windows 2000 fully unpatched box running IIS and having only port 80 exposed. I put that on a typical DSL connection and waited...

The wait was very long. At some point, I wondered if the box is even accessible so I got a few other handlers to check out accessibility for me and they have all proven that the W2K box works (fully unpatched too, unicode traversal is great for testing).

I waited and waited; 2 weeks passed by, nothing happened. My box was not compromised at all. There were a total of 8 scanning attempts but they look random and no one ever did anything harmful.

I suppose my actions raised more questions than answers,

- Does attackers stay away from the DSL ranges while scanning for web flaws? My other servers get much more scanning attempts.

- Are any bad guys scanning thru the whole Internet looking for infrastructure type of flaws anymore? Application flaws are so much more common.

Your thoughts are welcomed..... Write in to us via Email or leave us comments.

P.S. If you have cool web app compromise logs for donation, please write in via the contact form. Many thanks.

------------------------
Jason Lam,  http://twitter.com/jasonlam_sec  
https://blogs.sans.org/appsecstreetfighter/