Building a Honeypot To Observe Shellshock Attacks In the Real World

Nerval's Lobster writes A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven't wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, "is_shellshock," that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it's just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.

Article was low in details

Well that was a waste of time to read (yeah yeah, I know...). Essence is: a vulnerable server is created, and watching logfiles of people connecting, it can be seen that people first recon the honeypot, to see if it's exploitable, and then try to exploit the shellshock vulnerability.

Well d'oh. Was the author surprised by this? How is this different to /any/ other vulnerability? First recon, then exploit. The article sounds like it was written by somebody who's never heard of "computer security" and is trying to wrap his head around basic concepts.

Re:Article was low in details

[Zaiff+Urgulbunger]

The article sounds like it was written by somebody who's never heard of "computer security" and is trying to wrap his head around basic concepts.

And also someone who is presumably not running any web-servers - otherwise they'd only need to check their own web logs. I've got hosting with Bytemark and DigitalOcean and both have had a hand full shellshock attempts amongst all the usual PHP/WordPress/MySQLAdmin/whatever attempts.

The only very moderately interesting thing I've noticed is that Shellshock attempts seem to only by IP address and not by host (I'm hosting multiple websites per VM), so presumably most shellshock-bots are just sweeping IP ranges rather than using a list of known hosts.

Worthless article using invalid wording

What "popular" php apps are passing variables unsanitized to the shell?

They are the vectors that need to be described. What software is vulnerable.

To date I've not read a single thing that clarifies this.

FUD

CloudFlare did a similar analysis

[heypete]

See https://blog.cloudflare.com/inside-shellshock/.

Not the remote exploit many are looking for

[damn_registrars]

My home box has seen a dramatic up-tick in frequency of ssh attempts - particularly as root (even though I don't allow remote logins as root regardless of whether the password is right or not) - but the frequency of attacks via PHP and other potential shellshock vectors hasn't changed much.

I recently had one IP address in China make over 10,000 attempts to log in as root via ssh in one morning. By comparison on the same day I saw only 109 failed attempts to load various php configuration pages.

Re:Not the remote exploit many are looking for

[dcollins117]

I find it amusing to see how hard some people will work to try to compromise my inconsequential system.

Lol, same here. The only thing of value on my file server is the stuff I'm sharing publically anyways. When I look through my logs at all the fancy attack vectors I think to myself they'd be better off pointing a web browser at index.html, it would sure save them a lot of trouble.

Shared hosting

[QuietLagoon]

...Since attackers are systematically scanning all available addresses in the IPv4 space...

If your site is on a server that does shared (or virtual) hosting, then IP address scans will usualy not trigger shellshock from your site because your site needs to be accessed via its URL. Accesses via IP address will usually go to a main site on that server, and that main site may not have any exploitable content.

... On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug....

This is a straw man. Of course the bad guys are not going to walk away from all the other exploits in their toolbox. No one said they would.

Most of the shellshock accesses I see are just scans, i.e., the bad guys are building an inventory of what hosts are vulnerable. I haven't seen too many (i.e., only a very few) attempts to take over the host.... yet.

Pardon the sarcasm

[s.petry]

I replied directly as sarcasm, and perhaps should have added this as an addendum to the same post. I used to do the same at home where I had no concerns if a hacker was actually successful. I never gave free access like you, I was still running both tcpwrappers and an application called Netwatch (similar to fail2ban). I did log everything, and spent a good deal of time probing the people attempting to hack my stuff, tracking their traffic, etc... Partially this was a bit of morbid curiosity, partially learning how hackers operate, but also to give me ideas of what to be protecting at the office..

Assuming you know the risks, which it seems like you do, there is nothing wrong with what you are doing. Quite frankly, I learned a lot by doing this and attempting to build honeypots at home.

An office environment is quite different, different actions, different tolerances, and different expectations.

Wordpress?

[s.petry]

They seem to have problems with every other vulnerability, why would they want to leave this one out?

Yes, that is *snark* directed against Wordpress and their history of poor security. No, I do not know if there are any actual Wordpress exploits.