Open Proxy servers are a big problem on the Internet. Not only can an improperly
secured proxy server expose your internal network to attack (yes, you heard me
right, attackers can leverage unsecured proxy servers to identify/connect to
internal systems Lamo's Adventures
in WorldCom), but also these systems are used to obscure the true origin of web-based
attacks. In order to gather data on these types of attack channels, the
Honeypots: Monitoring and Forensics Project
deployed a specially configured Apache web server, designed specifically for use as a
honeypot open proxy server or ProxyPot. Please review the honeynet whitepaper entitled
Open Proxy Honeypot
for in depth details of the configurations. This
paper will provide important background information to aid in your analysis of the
SoTM data. As a reference we provide the following key to data:
a. Honeynet Web Server Proxy IP sanitized to: 192.168.1.103
b. Honeynet Web Server Proxy Hostname sanitized to: www.testproxy.net
Download the Image (25 MB)
- How do you think the attackers found the honeyproxy?
- What different types of attacks can you identify? For each category,
provide just one log example and detail as much info about the attack as
possible (such as CERT/CVE/Anti-Virus id numbers). How many can you find?
- Do attackers target Secure Socket Layer (SSL) enabled web servers as their
targets? Did they target SSL on our honeyproxy? Why would they want to use
SSL? Why didn't they use SSL exclusively?
- Are there any indications of attackers chaining through other proxy servers?
Describe how you identified this activity. List the other proxy servers identified.
Can you confirm that these are indeed proxy servers?
- Identify the different Brute Force Authentication attack methods. Can you
obtain the clear text username/password credentials? Describe your methods.
- What does the Mod_Security error message "Invalid Character Detected" mean?
What were the attackers trying to accomplish?
- Several attackers tried to send SPAM by accessing the following
URL - http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They tried to send
email with an html attachment (files listed in the /upload directory).
What does the SPAM webpage say? Who are the SPAM recipients?
- Provide some high level statistics on attackers such as:
- Top Ten Attackers
- Top Ten Targets
- Top User-Agents (Any weird/fake agent strings?)
- Attacker correlation from DShield and other sources?
- Why do you think the attackers were targeting pornography websites for
brute force attacks? (Besides the obvious physical gratification scenarios :)
- Even though the proxypot's IP/Hostname was obfuscated from the logs,
can you still determine the probable network block owner?
This months challenge image and questions are lead by
Ryan Barnett. You can find Ryans writeup here.
Writeup from the Security Community