Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building a Honeypot To Observe Shellshock Attacks In the Real World

Posted by timothy on from the distract-them-with-fresh-targets dept.

Nerval's Lobster writes A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven't wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, "is_shellshock," that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it's just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.

2 of 41 comments (clear)

  1. Article was low in details by Anonymous Coward · · Score: 5, Informative

    Well that was a waste of time to read (yeah yeah, I know...). Essence is: a vulnerable server is created, and watching logfiles of people connecting, it can be seen that people first recon the honeypot, to see if it's exploitable, and then try to exploit the shellshock vulnerability.

    Well d'oh. Was the author surprised by this? How is this different to /any/ other vulnerability? First recon, then exploit. The article sounds like it was written by somebody who's never heard of "computer security" and is trying to wrap his head around basic concepts.

  2. CloudFlare did a similar analysis by heypete · · Score: 5, Informative

    See https://blog.cloudflare.com/inside-shellshock/.