Wordpress Honeypot - Part 2
I let the honeypot run for 98 days in total. Looking back, I don't know why I didn't let it run for exactly 100 but I suspect it had something to do with me moving house around that time. I took note of my observations as I shut it down and grepped and awked my way through the logs to produce summary stats.
The first observation I recall making was the disparity between the number of connections to the site on the domain name vs. the number of connections to the site on the IP address. You'll find (regrettably) that a lot of websites will still serve you content if you connect on the IP address. It's a good idea to disable this functionality and simply present a generic error. This way, you'll eliminate a lot of your exposure to automated scanning, and the figures below corroborate this:
Connections to site via domain vs. via IP address |
Lets not forget that my honeypot was set up in such a way that, in theory at least, there could be no possible legitimate use case for someone to seek it out. Even so, in the 98 day window, the site was visited via the domain name by fifty-six unique IP addresses. That total excludes IP addresses belonging to search engines such as Google and Microsoft.
Unsurprisingly, the site took a bit of a pounding and was almost constantly tested for common web vulnerabilities from a broad spectrum of source IP addresses. The vast majority of these tests appeared to be drive-by, one-off checks for specific CMS engines, default files and default scripts. The actual wordpress login page was only visited seven times, and my attackers were clearly more interested in finding vulnerable instances of phpMyAdmin and sprawdza.php. I didn't manage to attract the attention of any persistent or focused attackers, and in total only observed a little more than fifteen-hundred unique payloads leveraged against the site. As for the easter eggs... they didn't get a single bite!
Payloads leveraged against site via domain vs. via IP address |
By the time it came to tear down the honeypot I'd acquired a huge number of IP addresses and it took some time to look into who they all belonged to and which countries they were registered in. Another jump-out observation was the absence of regular end-user ISPs from the WHOIS records of the IP addresses I'd observed hitting my web server. I expected a large percentage of the IPs to belong to hosting companies which have a fairly poor record in monitoring and investigating potential abuse originating from their networks. In the end, I only had traffic from a handful of commercial ISPs. The rest of the traffic originated from hosting companies and cloud service providers, including the provider I'd registered the VPS with:
Broken down by country, I was surprised to have my preconceptions challenged again. At the start of the exercise I would have bet that the majority of the traffic I'd see would originate from East and perhaps Eastern Europe. This was simply not the case:
Conclusions
Although this wasn't a particularly scientific exercise and it took place some time ago (notably before Heartbleend and ShellShock were revealed), there are still a few conclusions worth drawing from it.
Firstly, honeypots are worth looking into and if you know someone that's trying to make the move into information security they are a great introduction to many ideas. They make you think about real world problems in real world scenarios and provide you real world data and examples of threats and vulnerabilities. Sure, my honeypot didn't attract any big fish, but it did exemplify the exposure and subsequent risk many organisations face.
Secondly, it highlighted the importance of a lot of things you probably already know you should be doing. Server hardening, patching, vulnerability scanning and testing, logging and monitoring, access control reviews... all these processes are there to identify and then allow organisations to address risks which ultimately reduce the likelihood of breaches and information leakage occuring. In the context of this exercise, these things sound like overkill until you consider the fact that many businesses achieve their online presence in much the same way but with the absence of anyone reviewing activity. It doesn't matter whether you're big or small, private sector or charity, local or foreign - everything is a target on the internet to someone.