Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Building a Honeypot To Observe Shellshock Attacks In the Real World 41

Nerval's Lobster writes A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven't wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, "is_shellshock," that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it's just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.
This discussion has been archived. No new comments can be posted.

Building a Honeypot To Observe Shellshock Attacks In the Real World

Comments Filter:
  • by Anonymous Coward on Thursday October 02, 2014 @10:47AM (#48047347)

    Well that was a waste of time to read (yeah yeah, I know...). Essence is: a vulnerable server is created, and watching logfiles of people connecting, it can be seen that people first recon the honeypot, to see if it's exploitable, and then try to exploit the shellshock vulnerability.

    Well d'oh. Was the author surprised by this? How is this different to /any/ other vulnerability? First recon, then exploit. The article sounds like it was written by somebody who's never heard of "computer security" and is trying to wrap his head around basic concepts.

    • by Anonymous Coward

      Or just trying to dumb it down for a "general" audience.

    • The article sounds like it was written by somebody who's never heard of "computer security" and is trying to wrap his head around basic concepts.

      And also someone who is presumably not running any web-servers - otherwise they'd only need to check their own web logs. I've got hosting with Bytemark [bytemark.co.uk] and DigitalOcean [digitalocean.com] and both have had a hand full shellshock attempts amongst all the usual PHP/WordPress/MySQLAdmin/whatever attempts.

      The only very moderately interesting thing I've noticed is that Shellshock attempts seem to only by IP address and not by host (I'm hosting multiple websites per VM), so presumably most shellshock-bots are just sweeping IP ran

  • my domains that have been around for 15 years get hundreds of attacks a day, over a dozen bash vulnerability probe attackers per day in the last week.

  • by Anonymous Coward

    What "popular" php apps are passing variables unsanitized to the shell?

    They are the vectors that need to be described. What software is vulnerable.

    To date I've not read a single thing that clarifies this.

    FUD

    • They seem to have problems with every other vulnerability, why would they want to leave this one out?

      Yes, that is *snark* directed against Wordpress and their history of poor security. No, I do not know if there are any actual Wordpress exploits.

    • by Anonymous Coward

      Yeah, don't bash php

      lulz

  • My home box has seen a dramatic up-tick in frequency of ssh attempts - particularly as root (even though I don't allow remote logins as root regardless of whether the password is right or not) - but the frequency of attacks via PHP and other potential shellshock vectors hasn't changed much.

    I recently had one IP address in China make over 10,000 attempts to log in as root via ssh in one morning. By comparison on the same day I saw only 109 failed attempts to load various php configuration pages.
    • by Anonymous Coward
      A simple iptable rule would throttle the rate at which you accept ssh connection would solve this problem. Why are you allowing them to hammer your server and fill your logs with crap?
      • A simple iptable rule would throttle the rate at which you accept ssh connection would solve this problem.

        That is one of many options.

        Why are you allowing them to hammer your server and fill your logs with crap?

        I find it amusing to see how hard some people will work to try to compromise my inconsequential system. I set my messages log to turn over at a very high file size now so I can see the activities more readily through only one file. Even with people attacking at this frequency they pose no real danger to my system, either by way of filling my "logs with crap" or by actually trying to get it (as a prohibited user name).

        • I find it amusing to see how hard some people will work to try to compromise my inconsequential system.

          Lol, same here. The only thing of value on my file server is the stuff I'm sharing publically anyways. When I look through my logs at all the fancy attack vectors I think to myself they'd be better off pointing a web browser at index.html, it would sure save them a lot of trouble.

          • Hell, what's yer IP?
          • by knarf ( 34928 )

            Well, no, not really. They're mostly after the server resources in the first place, to be (ab)used as spambots or DDoS drones. That is something 'pointing a web browser at index.html' will not help them with, so they try other tactics.

        • I replied directly as sarcasm, and perhaps should have added this as an addendum to the same post. I used to do the same at home where I had no concerns if a hacker was actually successful. I never gave free access like you, I was still running both tcpwrappers and an application called Netwatch (similar to fail2ban). I did log everything, and spent a good deal of time probing the people attempting to hack my stuff, tracking their traffic, etc... Partially this was a bit of morbid curiosity, partially l

          • An office environment is quite different, different actions, different tolerances, and different expectations.

            Agreed. Systems at work I keep locked down and secured much differently. At home only one system is accessible to the outside world at all, and only on two ports.

      • Duh (Score:2, Redundant)

        by s.petry ( 762400 )

        You can't advertise massive numbers if you throttle or run something like fail2ban!

    • Why do you allow anybody to connect to a port they have to business using?!?!?!?!
      My servers limit connections on port 22 to the IP-range of my ISP and my static IP from work.

      Zero unauthorized login attempts over SSH for the past years.

      • Fuck Slashdot.

        Why would you allow anybody to connect on a port they have no business using?!?!?!?!
        My servers limit connections on port 22 to the IP-range of my ISP and my static IP from work.

        Zero unauthorized login attempts over SSH for the past years.

    • by Anonymous Coward

      Geeze, you must love sifting through millions of lines of crap in your logs.

      Here, let me help you:

      $ wget http://www.snafu.priv.at/mystuff/pam_recent.c
      $ gcc -shared -fPIC -Xlinker -x -o pam_recent.so pam_recent.c -lpam

      Read the instructions on the .c file, its pretty clear cut.

      Then download and install xtables_addons and enable the TARPIT module. Load it, tweak your init scripts to modprobe it automatically on boot.

      Then, add the following to your /etc/sysconfig/iptables or equivalent, where appropriate:

      -A INP

  • by QuietLagoon ( 813062 ) on Thursday October 02, 2014 @11:05AM (#48047481)

    ...Since attackers are systematically scanning all available addresses in the IPv4 space...

    If your site is on a server that does shared (or virtual) hosting, then IP address scans will usualy not trigger shellshock from your site because your site needs to be accessed via its URL. Accesses via IP address will usually go to a main site on that server, and that main site may not have any exploitable content.

    ... On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug....

    This is a straw man. Of course the bad guys are not going to walk away from all the other exploits in their toolbox. No one said they would.

    Most of the shellshock accesses I see are just scans, i.e., the bad guys are building an inventory of what hosts are vulnerable. I haven't seen too many (i.e., only a very few) attempts to take over the host.... yet.

  • If you run a web server of any kind, just grep for () in your /var/log/apache2/referer.log, and you'll see plenty of hits:
    fgrep '()' /var/log/apache2/referer.log

    ... if not, maybe you're simply running a site that is too obscure?

  • It seems like viruses and exploits are getting names like rock bands.

    I went to VirusPalooza!!! The headliners were ShellSHOCK and Heartbleed. They were great. Also saw a bunch of others: Viruses from yesteryear like Wabbit and Creeper System, awesome viruses from the '80s CyberAIDS, Festering Hate Apple ProDOS, and Ghostball, modern stars like Stuxnet and CryptoLocker, and who could forget Y2K?!?

Their idea of an offer you can't refuse is an offer... and you'd better not refuse.

Working...