Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building a Honeypot To Observe Shellshock Attacks In the Real World

Posted by timothy on from the distract-them-with-fresh-targets dept.

Nerval's Lobster writes A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven't wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, "is_shellshock," that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it's just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.

2 of 41 comments (clear)

  1. Worthless article using invalid wording by Anonymous Coward · · Score: 2, Interesting

    What "popular" php apps are passing variables unsanitized to the shell?

    They are the vectors that need to be described. What software is vulnerable.

    To date I've not read a single thing that clarifies this.

    FUD

  2. Not the remote exploit many are looking for by damn_registrars · · Score: 4, Interesting

    My home box has seen a dramatic up-tick in frequency of ssh attempts - particularly as root (even though I don't allow remote logins as root regardless of whether the password is right or not) - but the frequency of attacks via PHP and other potential shellshock vectors hasn't changed much.

    I recently had one IP address in China make over 10,000 attempts to log in as root via ssh in one morning. By comparison on the same day I saw only 109 failed attempts to load various php configuration pages.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.