Web honeypot

Module name: SenseWebHoneypot

Honeypotting is a security technique where you set up a system or subsystem to pretend that there is a vulnerable service available. The attacker, hacker, or bot will easily see that there is a vulnerability and will try to abuse it. As the honeypot is not providing the service it advertises in reality, it will rather collect the attack data and block the attack. This technique is similar for setting up traps against your enemies. This is very effective against both automatized and targeted attacks.

This module is responsible for setting up such honeypot traps on your PHP based websites.

How can you implement a web honeypot?

It is quite easy and straightforward. Create a PHP file with this content:

 <?php

/*
 *   BitNinjal Server Security
 *   All rights reserved.
 *   https://bitninjal.io
 *
 *   @author        Zsolt Egri <ezsolt@bitninja.io>
 *   @copyright    C 2014 Web-Server Kft
 *   @package      BitNinja
 *   @subpackage HoneypotHttp
 *   @version       1.0
 */


/*
 * Function to send request data to the SenseWebHoneypot module of BitNinja.
 */
function sendData()
{
    $socket = stream_socket_client("tcp://127.0.0.1:60099", $errno, $errorMessage);
    stream_set_timeout($socket, 1, 0);
    socket_set_blocking($socket, 1);
    if ($socket === false) {
        return FALSE;
    }
    $dataToSend = json_encode(array(
        'server' => $_SERVER,
        'post' => $_POST,
        'get' => $_GET,
        'file' => __FILE__,
        'pid' => getmypid(),
        'uid' => getmyuid()
    ));
    while (strlen($dataToSend)!==0)
    {
        $bytesWritten = fwrite($socket, $dataToSend);
        $dataToSend = substr($dataToSend, $bytesWritten);
    }
    fclose($socket);
    return TRUE;
}
?>
<!-- Your content should go here... -->
<html>
    <head>
        <title>BitNinja Honeypot</title>
    </head>
    <body>
        This is a honeypot file. Please leave it.
    </body>
</html>
<?php
    /*
     * Finaly, we flush the output - send the content to the client - and
     * call the sendData() function to send the request to BitNinja.
     */
     flush();
     sendData();
?>

Of course you can combine this code as you like. You are able to set up your own logic regarding what is considered malicious. These incidents will be sent to the web honeypot module, greylisting the offending IP on all your servers. This example code can be found at /opt/bitninja/modules/SenseWebHoneypot/examples/example_honeypot_file.php. To use it:

  1. copy it where the attacker can reach it.
  2. rename it to something interesting like admin_login.php
  3. change the owner to the proper web user
  4. done :)

Note

Set up some honey on your web applications for hackers! You can set up web traps by hiding some virtual bugs in your application. What do you think about a cookie like this: admin=false You can then verify the value of the admin cookie and if it’s anything other than false, you can send the incident to the web honeypot module. Believe me, no hacker can resist his/her curiosity to try what happens when they change this value to true. ;-)

Note

Are there web bots crawling your forum all the time or trying to send some spam? Just add a link to your honeypot file and don’t forget to deny all the good bots using a robots.txt entry. Bad bots will follow the link and be trapped, whereas good bots will avoid the trap.

Note

Ever heard about Google Dorks? Put some honeypots in URLs which can be found in the Google Hack Database and watch who tries to access it.

Note

Attackers try to Directory brute force your site? Make your default 404 page go to a honeypot.

Note

Found an infected file or backdoor on your server? You can replace it with a honeypot. MalwareDetection has an option to auto honeypotify an infected script. You can enable it in /etc/bitninja/MalwareDetection/config.ini

[core]
honeypotify = 'enabled'

Happy hacker hunting!