This is, however, successfully blocked by the Honeywall. With the help of an automated setup procedure, he installs all tools on the honeypot and then tries to attack other systems. It contains several common attack tools like a Trojan Horse with the capability to hide certain files, a keylogger, or a vulnerability scanner. Via several steps, he gained access to the Windows command shell and then uploaded his own toolkit. The attacker managed to access the FTP server provided by XAMPP using a default login and password.
Again, this can be some kind of burglar alarm and help you to identify the reconnaissance phase of an attack against you. You could use a similar honeypot setup to protect your server: deploy a fairly secure honeypot near your valuable boxes (preferably in a separate VLAN) and closely monitor what happens. This is a common phenomenon in IT security, and we wanted to see whether this can also lead to interesting observations. Thus, the individual software tools are secure, but due to insecure configuration, the whole system is vulnerable to attacks. Please secure XAMPP before publishing anything online. The user of Mercury and FileZilla are known. The MySQL daemon is accessible via network. The MySQL administrator (root) has no password. Here a list of missing security in XAMPP:
For development environments this is great but in a production environment it could be fatal. XAMPP is configured to be as open as possible and to allow the web developer anything he/she wants. XAMPP itself is designed for a development environment, and the installation notes clearly mention that XAMPP should not be used in a production environment : This time we choose XAMPP version 1.5.5, an easy-to-install Apache distribution containing the tools Apache 2.2.3, MySQL 5.0.27, PHP 5.2.0 and PHP 4.4.4, phpMyAdmin 2.9.1.1, FileZilla FTP Server 0.9.20, and OpenSSL 0.9.8d.Īs you can see, all applications are on a fairly recent version and thus should be rather secure. To offer some bait for an attacker, we installed again some web applications on the honeypot. Thus, it cannot be easily compromised by automated attacks by worms or autonomous spreading malware.
This honeypot was on the latest patch level for the operating system, and all patches issued by Microsoft were installed. As a second example of an attack against a high-interaction honeypot we take a closer look at a compromise of a honeypot running Windows 2000 Service Pack 2.
0 kommentar(er)
