major update

Added medium interaction functionality, Improved IP address detection,
Included RegEx for SIEM log parsing

README.md

@@ -0,0 +1,158 @@
+#phpMyAdmin Honeypot
+
+version 1.2 -- 3/3/2014
+greg . foss [at] logrhythm . com
+
+Probably one of the smallest and simplest honeypots out there...
+
+--------------------------------------------------
+
+#[Requirements]
+
+          You will need...
+
+          1. A web server (preferably running the current version of Apache)
+
+          2. The ability to change file permissions on the web server
+
+          3. To know at least a little HTML and PHP
+
+          4. About 30 minutes of free time
+
+          5. For automated alert generation, access to a Log Manager / SIEM is recommended
+
+--------------------------------------------------
+
+#[Installation]
+
+Medium-Interaction Version:
+          1. Upload the /phpmyadmin-interactive/ folder to the root of your web directory and change the folder name to /phpmyadmin/
+
+          2. Change the permissions on /phpmyadmin/log.txt to 700 so that the file can be written to by the web user:
+               $ chmod 700 log.txt
+
+          3. Assure that all contents of the directory are owned by the 'web user' (www-data / apache / etc.)
+               $ chown -R www-data:www-data /var/www/phpmyadmin/
+
+          4. Add the following lines to your robots.txt file (or create one in the root of your web server) so that web crawlers *won't index the /phpmyadmin/ directory but users will find it:
+               # Directories
+               Disallow: /phpmyadmin/
+               # Files
+               Disallow: /phpmyadmin/index.php
+
+          5. Change the name of the default log file (log.txt) and move it to a separate directory.
+               Update the file location within the index.php, login.php, phpinfo.php, and master-config/index.php files.
+
+          6. Modify the permitted credentials to 'acccess' the phpmyadmin landing page within login.php on the following line:
+               if (preg_match("[USERNAME, PASSWORD]", $comma_delimited_list)) {
+
+          7. Test to assure that access to each page is being logged to the 'log.txt' file.
+
+          8. Parse the logs using the included Regular Expression (below) if you would like to integrate with your SIEM / Log Management solution.
+
+          9. That's it, now just sit back and see how many flies you can catch!
+
+
+Email Version:
+          1. Upload the /phpmyadmin-email/ folder to the root of your web directory and change the name to /phpmyadmin/
+
+          2. chmod the permissions on /phpmyadmin/log.txt to 700 so that the file can be written to by the web user:
+               $ chmod 700 log.txt
+
+          3. Assure that all contents of the directory are owned by the web user (www-data / apache / etc.)
+               $ chown -R www-data:www-data /var/www/phpmyadmin/
+          
+          4. Edit index.php and replace "YOUR@EMAIL.COM" with your e-mail address. You may also want to change "YOURSITEHERE"...
+
+          5. Add the following lines to your robots.txt file (or create one in the root of your web server) so that web crawlers *won't index the /phpmyadmin/ directory but users will find it:
+               # Directories
+               Disallow: /phpmyadmin/
+               # Files
+               Disallow: /phpmyadmin/index.php
+
+          6. Download the most recent version of tectite form processor: http://www.tectite.com/. Follow the configuration instructions and modify the responses / redirects to something interesting.
+               Any form processor will work.
+
+          7. Change the file "formmail.php" to "login.php". Place this in the /phpmyadmin/ directory and test to make sure that it works…
+
+          8. That's it, now just sit back and see how many flies you can catch!
+
+
+Note - you can combine both versions of this honeypot...
+
+
+--------------------------------------------------
+
+#[LogRhythm SIEM Regular Expressions]
+
+          Flat File Path:
+               /var/www/phpmyadmin/log.txt
+
+          Catch-All RegEx:
+               .*?,\s+<sip>,(?<login>.*?),\s+(?<object>.*?),\s+(?<vmid>.*?)$|.*?_\s+<sip>\s+_\s+(?<vmid>.*?)$
+
+          Date Parsing:
+               <d>/<M>/<yy>:<h>:<m>:<s>
+
+          MPE Sub Rules:
+
+               /-----[key]-----\
+               |Name           |
+               |Rule           |
+               |Classification |
+               \---------------/
+
+               Landing Page Visit
+               vmid=phpmyadmin/index.php
+               Suspicious
+
+               Failed Login
+               login!=USERNAME && object!=PASSWORD && vmid=phpmyadmin-form
+               Attack
+
+               Successful Login
+               login=USERNAME && object=PASSWORD && vmid=phpmyadmin-form
+               Attack
+
+               System Compromise
+               vmid(regex(COMPROMISED))
+               Compromise
+
+--------------------------------------------------
+
+#[Changelog]
+
+          3/3/2014
+               Added medium interaction functionality
+               Improved IP address detection
+               Included RegEx for SIEM log parsing
+
+          10/25/2012 - Now tracking in GitHub
+
+          3/2/2011 - First release...
+
+--------------------------------------------------
+
+#[License]
+
+Copyright (c) 2014, Greg Foss
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+* Neither the name of Greg Foss nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+--------------------------------------------------

phpmyadmin/index.php → phpmyadmin-email/index.php

@@ -117,15 +117,31 @@
     </div>
 
 <?php
-	$page = $_SERVER['SCRIPT_FILENAME'];
-	$ipaddress = $_SERVER['REMOTE_ADDR']; 
-	$date = date ("M dS H:i:s"); 
-	$message = "$page _ $ipaddress _ $date\n"; 
-	$File = "phpmyadmin_log.txt"; 
-	$Open = fopen($File, "a+"); 
-	if ($Open){ 
-	fwrite($Open, "$message"); 
-	fclose ($Open); 
-	}
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+$ip = getRealIpAddr();
+$date = date ("d/m/Y:H:i:s");
+$page = $_SERVER['SCRIPT_FILENAME'];
+$message = "$date _ $page _ $ip\n";
+$File = "phpmyadmin_log.txt";
+$Open = fopen($File, "a+"); 
+if ($Open){ 
+    fwrite($Open, "$message"); 
+    fclose ($Open); 
+}
 ?>
     </body></html>