capturing web application threats using virtual cms honeypot

Krakow, April 24-25, 2010

Capturing Web Application Threats Using virtual CMS Honeypot

Saharudin Saat

Krakow, April 24-25, 2010

Why We Do It?Which is the BEST CMS?

UiTM currently uses JOOMLA but too many exploits

• Current trends:• PHP• Ruby• JSP• ASP

?

Krakow, April 24-25, 2010

Why Honeypot?

• Capture live attacks• Find solution for 0 day • Hackers view the virtual honeypots as a real

server (playground)• Honeypots cannot be used as a stepping stone to

do any harm (permit in, block out)

Krakow, April 24-25, 2010

The Architecture

Krakow, April 24-25, 2010

Tools• Raw Honeypot (virtualbox)• Proxy (pound – apache log format)• Awstats (log analysis)• Snort (signatures)• ACID BASE (report )• Tcpdump (record packets)• Tcpreplay (crash - replay packets )

Krakow, April 24-25, 2010

What’s Different?• Enhanced awstats error logs• Detailed error message based on W3C• Custom virus and worm signature• Better report

Krakow, April 24-25, 2010

Results and FindingsPercentages of attack

Krakow, April 24-25, 2010

PHP CMS

• Default (welcome intruder)• Cliché (admin)

Krakow, April 24-25, 2010

ASP CMS

• Windows virus and worm• Not work on Linux (mod mono - .NET environment)

Krakow, April 24-25, 2010

JSP CMS

• unauthorized access (servlet manager)

Krakow, April 24-25, 2010

RUBY CMS

• Normal access

Krakow, April 24-25, 2010

Conclusion

Future plan JSP/Ruby

• PHP most threats • ASP high threats but less significant impact• JSP less threats but high impact• Ruby low impact

Krakow, April 24-25, 2010

Future Works• Compiled attacks can be utilised for IDS/IPS• Implement database monitoring

Krakow, April 24-25, 2010

Thank you!Questions?