Catching Flies with Honey
June 23, 2006
Don't deny it. There's a certain enjoyment in watching crooks futilely attempt to get their claws into your network. A pity all that effort is for naught. Nonetheless, their loss -- to use an overworked cliché -- is your gain.
Honeypots are systems that are purposely inviting to hackers but are essentially secured sandboxes that are walled off from the network and monitored (hopefully). Though many organizations would be reluctant to leave any system open to attack, for others, deploying a honeypot can lead to a treasure trove of hacker know how.
Security-minded techies might get a chuckle at perusing their logs but the fun stuff is in discovering what vulnerabilities attackers are targeting or finding out what tools botnet operators are attempting to drop on unsuspecting machines these days.
And as some AO members have discovered, these tools can range from something rather crude to sophisticated little nuggets of code that slurp, sift and relay data in ways that are in no way beneficial to their victims.
Why not take a gander at what some enterprising security pros have found while operating their honeypots? It might just inspire you to set up one of your own...
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
farmer6re9 has a question for the group...
I'm just curious if anyone out there actually runs a honeypot for pure amusement. I'm a bit of a freaky geek and do enjoy antagonizing botnets in my spare time just to see what's going on out there. And of course there are a few occasions when a real live goon pokes at my IP and the wire gets a little more heated up.
Soda_Popinsky never fails to add some life to a thread.
Here's the most activity from an attacker I've ever had. This is from a search engine honeynet. I love it when they revert to Windows commands (dir... etc) when things break down. The other things like "Target in URL" and "No Referrer" are signatures that appear from different types of requests.
"2006-02-11 22:28:29";"Target in URL;"
"2006-02-11 22:28:36";"cat /etc/passwd;"
"2006-02-16 17:18:26";"Target in URL;"
"2006-02-16 17:18:33";"ps x;"
"2006-02-16 17:18:36";"uname a;"
"2006-02-16 17:18:39";"ls a;"
"2006-02-16 17:18:43";"dir a;"
farmer6re9 chimes in again.
I am amazed at how many machines are still infected with old stuff and actively scanning subnets for new victims. I study their behavior in the hope of learning what responses quiet them down, and what excites them and attracts others from outside the subnet.
Keeping an eye on the honeypot has netted hogfly quite a collection.
I've been running a research honeynet for a few years now and have collected upwards to 50 tools at a time. I collect more logs than anyone should ever have to sift through... Oh the humanity.
Read the rest here.