important note: the name of the web honeynet project has been changed to the web honeynet task force to avoid confusion with the honeynet project.
[ warning: this post includes links to live web server malware propagated this wednesday via file inclusions exploits. these links are not safe! ]
the newly formed web honeynet project from securiteam and the isotf will in the next few months announce research on real-world web server attacks which infect web servers with:
tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.
the web honeynet project will, for now, not deal with the regular sql injection and xss attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.
these attacks form botnets constructed from web servers (mainly iis and apache on linux and windows servers) and transform hosting farms/colos to attackplatforms.
most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) php web applications, as is well known and established.
php (or scripting) shells, etc. have been known for a while, as well as file inclusion (or rfi) attacks, however, mostly as something secondary and not much (if any – save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.
the bad guys currently exploit, create botnets and deface in a massive fashion and force isps and colos to combat an impossible situation where any (mainly) php application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.
what is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) – meaning aside for research, the web honeynet project will also release actionable data on offensive ip addresses, urls and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.
it’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. several folks (andquite loudly – me) have been warning about this for a while, now it’s time to take action instead of talk.
note: below you can find sample statistics on some of the web honeynet project information for this last wednesday, on file inclusion attacks seeding malware.
you will likely notice most of these have been taken care of by now.
the first research on the subject (after looking into several hundred such tools) will be made public on the february edition of the virus bulletin magazine, from:
kfir damari, noam rathaus and gadi evron (yours truly).
the securiteam and isotf web honeynet project is supported by beyond security ( http://www.beyondsecurity.com )..
special thanks (so far) to: ryan carter, randy vaughn and the rest of the new members of the project.
for more information on the web honeynet project feel free to contact me.
also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).
sample report and statistics (for wednesday the 10th of january, 2007):
ip | hit count | malware (count), … |
126.96.36.199 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4),
http://m embers.lycos.co.uk/onuhack/injek.txt? (6),
http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
188.8.131.52 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (more…)