-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added medium interaction functionality, Improved IP address detection, Included RegEx for SIEM log parsing
- Loading branch information
Showing
32 changed files
with
32,266 additions
and
71 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
#phpMyAdmin Honeypot | ||
|
||
version 1.2 -- 3/3/2014 | ||
greg . foss [at] logrhythm . com | ||
|
||
Probably one of the smallest and simplest honeypots out there... | ||
|
||
-------------------------------------------------- | ||
|
||
#[Requirements] | ||
|
||
You will need... | ||
|
||
1. A web server (preferably running the current version of Apache) | ||
|
||
2. The ability to change file permissions on the web server | ||
|
||
3. To know at least a little HTML and PHP | ||
|
||
4. About 30 minutes of free time | ||
|
||
5. For automated alert generation, access to a Log Manager / SIEM is recommended | ||
|
||
-------------------------------------------------- | ||
|
||
#[Installation] | ||
|
||
Medium-Interaction Version: | ||
1. Upload the /phpmyadmin-interactive/ folder to the root of your web directory and change the folder name to /phpmyadmin/ | ||
|
||
2. Change the permissions on /phpmyadmin/log.txt to 700 so that the file can be written to by the web user: | ||
$ chmod 700 log.txt | ||
|
||
3. Assure that all contents of the directory are owned by the 'web user' (www-data / apache / etc.) | ||
$ chown -R www-data:www-data /var/www/phpmyadmin/ | ||
|
||
4. Add the following lines to your robots.txt file (or create one in the root of your web server) so that web crawlers *won't index the /phpmyadmin/ directory but users will find it: | ||
# Directories | ||
Disallow: /phpmyadmin/ | ||
# Files | ||
Disallow: /phpmyadmin/index.php | ||
|
||
5. Change the name of the default log file (log.txt) and move it to a separate directory. | ||
Update the file location within the index.php, login.php, phpinfo.php, and master-config/index.php files. | ||
|
||
6. Modify the permitted credentials to 'acccess' the phpmyadmin landing page within login.php on the following line: | ||
if (preg_match("[USERNAME, PASSWORD]", $comma_delimited_list)) { | ||
|
||
7. Test to assure that access to each page is being logged to the 'log.txt' file. | ||
|
||
8. Parse the logs using the included Regular Expression (below) if you would like to integrate with your SIEM / Log Management solution. | ||
|
||
9. That's it, now just sit back and see how many flies you can catch! | ||
|
||
|
||
Email Version: | ||
1. Upload the /phpmyadmin-email/ folder to the root of your web directory and change the name to /phpmyadmin/ | ||
|
||
2. chmod the permissions on /phpmyadmin/log.txt to 700 so that the file can be written to by the web user: | ||
$ chmod 700 log.txt | ||
|
||
3. Assure that all contents of the directory are owned by the web user (www-data / apache / etc.) | ||
$ chown -R www-data:www-data /var/www/phpmyadmin/ | ||
4. Edit index.php and replace "YOUR@EMAIL.COM" with your e-mail address. You may also want to change "YOURSITEHERE"... | ||
|
||
5. Add the following lines to your robots.txt file (or create one in the root of your web server) so that web crawlers *won't index the /phpmyadmin/ directory but users will find it: | ||
# Directories | ||
Disallow: /phpmyadmin/ | ||
# Files | ||
Disallow: /phpmyadmin/index.php | ||
|
||
6. Download the most recent version of tectite form processor: http://www.tectite.com/. Follow the configuration instructions and modify the responses / redirects to something interesting. | ||
Any form processor will work. | ||
|
||
7. Change the file "formmail.php" to "login.php". Place this in the /phpmyadmin/ directory and test to make sure that it works… | ||
|
||
8. That's it, now just sit back and see how many flies you can catch! | ||
|
||
|
||
Note - you can combine both versions of this honeypot... | ||
|
||
|
||
-------------------------------------------------- | ||
|
||
#[LogRhythm SIEM Regular Expressions] | ||
|
||
Flat File Path: | ||
/var/www/phpmyadmin/log.txt | ||
|
||
Catch-All RegEx: | ||
.*?,\s+<sip>,(?<login>.*?),\s+(?<object>.*?),\s+(?<vmid>.*?)$|.*?_\s+<sip>\s+_\s+(?<vmid>.*?)$ | ||
|
||
Date Parsing: | ||
<d>/<M>/<yy>:<h>:<m>:<s> | ||
|
||
MPE Sub Rules: | ||
|
||
/-----[key]-----\ | ||
|Name | | ||
|Rule | | ||
|Classification | | ||
\---------------/ | ||
|
||
Landing Page Visit | ||
vmid=phpmyadmin/index.php | ||
Suspicious | ||
|
||
Failed Login | ||
login!=USERNAME && object!=PASSWORD && vmid=phpmyadmin-form | ||
Attack | ||
|
||
Successful Login | ||
login=USERNAME && object=PASSWORD && vmid=phpmyadmin-form | ||
Attack | ||
|
||
System Compromise | ||
vmid(regex(COMPROMISED)) | ||
Compromise | ||
|
||
-------------------------------------------------- | ||
|
||
#[Changelog] | ||
|
||
3/3/2014 | ||
Added medium interaction functionality | ||
Improved IP address detection | ||
Included RegEx for SIEM log parsing | ||
|
||
10/25/2012 - Now tracking in GitHub | ||
|
||
3/2/2011 - First release... | ||
|
||
-------------------------------------------------- | ||
|
||
#[License] | ||
|
||
Copyright (c) 2014, Greg Foss | ||
All rights reserved. | ||
|
||
Redistribution and use in source and binary forms, with or without | ||
modification, are permitted provided that the following conditions are met: | ||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. | ||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. | ||
* Neither the name of Greg Foss nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. | ||
|
||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND | ||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY | ||
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
|
||
-------------------------------------------------- |
This file was deleted.
Oops, something went wrong.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes
File renamed without changes
File renamed without changes.
File renamed without changes.
File renamed without changes.
Oops, something went wrong.