Krakow, April 24-25, 2010
Capturing Web Application Threats Using virtual CMS Honeypot
Saharudin Saat
Krakow, April 24-25, 2010
Why We Do It?Which is the BEST CMS?
UiTM currently uses JOOMLA but too many exploits
• Current trends:• PHP• Ruby• JSP• ASP
?
Krakow, April 24-25, 2010
Why Honeypot?
• Capture live attacks• Find solution for 0 day • Hackers view the virtual honeypots as a real
server (playground)• Honeypots cannot be used as a stepping stone to
do any harm (permit in, block out)
Krakow, April 24-25, 2010
The Architecture
Krakow, April 24-25, 2010
Tools• Raw Honeypot (virtualbox)• Proxy (pound – apache log format)• Awstats (log analysis)• Snort (signatures)• ACID BASE (report )• Tcpdump (record packets)• Tcpreplay (crash - replay packets )
Krakow, April 24-25, 2010
What’s Different?• Enhanced awstats error logs• Detailed error message based on W3C• Custom virus and worm signature• Better report
Krakow, April 24-25, 2010
Results and FindingsPercentages of attack
Krakow, April 24-25, 2010
PHP CMS
• Default (welcome intruder)• Cliché (admin)
Krakow, April 24-25, 2010
ASP CMS
• Windows virus and worm• Not work on Linux (mod mono - .NET environment)
Krakow, April 24-25, 2010
JSP CMS
• unauthorized access (servlet manager)
Krakow, April 24-25, 2010
RUBY CMS
• Normal access
Krakow, April 24-25, 2010
Conclusion
Future plan JSP/Ruby
• PHP most threats • ASP high threats but less significant impact• JSP less threats but high impact• Ruby low impact
Krakow, April 24-25, 2010
Future Works• Compiled attacks can be utilised for IDS/IPS• Implement database monitoring
Krakow, April 24-25, 2010
Thank you!Questions?