Thursday, May 2, 2013

Luring the Bots for Fun!

Project Introduction

These days I am hosting a custom honeypot which is based on Metasploitable VM. Unfortunately I didn't have the time to build a new one, so I based it on Metasploitable VM. Initially, I wanted to capture all the wordlists hosted on the machines that would target me. Secondly, I wanted to make a statistical analysis of the regions which attack the most. Obviously, a honeypot situated in Greece wouldn't be a good statistical sample, however after a month of honeypot's "production" state I have gathered very interesting data which I would like to share (apart from the wordlists!).

Honeypot Services

The first service which is built in order to lure the bots is the SSH. This has given me a very interesting amount of data and wordlists of the brute force attacks. SSH service by default does not log any failed login attempts. That's why I had to download SSH source code and recompile it in a way that the SSH daemon would log any failed logon attempt. The altered source code (auth_passwd.c) can be found here.
The second service is HTTP. I wanted to lure any bots or blackhats (script kiddies to be more accurate because no one serious blackhat would like to hack a useless site!) who would try to hack a web application. I uploaded to the Apache server a PHP project I had written during my first degree, which is full of vulnerabilities (in the 3rd semester no one had made me an introduction to web application security, I admit it!). In order to log the attacks I installed and configured ModSecurity as I have described in a previous article (later I found that modsecurity can be linked with online honeypot projects! Just google it!). Unfortunately, HTTP service has not faced any attack attempt yet, so this project did not go well!...

Attacking Hosts by Region

Below there is a graph of the number of attacks and the region from which these attacks came from!





I am sure that you had imagined that China would win the race easily!


Conclusion

In the near future I am looking to add more services to my honeypot, so stay tuned for future posts!
And remember: The bots are out there! (like X-Files motto? :p)