[SANS ISC] Increase of phpMyAdmin scans

I published the following diary on isc.sans.org: “Increase of phpMyAdmin scans“. PMA (or “phpMyAdmin”) is a well-known MySQL front-end written in PHP that “brings MySQL to the web” as stated on the web site. The tool is very popular amongst web developers because it helps to maintain databases just by using

[The post [SANS ISC] Increase of phpMyAdmin scans has been first published on /dev/random]

Continue reading [SANS ISC] Increase of phpMyAdmin scans

Dropping Zip Bombs on Vulnerability Scanners

If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.

Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip …read more

Continue reading Dropping Zip Bombs on Vulnerability Scanners

Software to monitor everything that happens in Honeypot, or is there an equivalent of Sebek? [on hold]

I want to create a high-interaction honeypot and I need a program that will do the following:

In the previous section we briefly introduced several methods to
collect additional information at the host system. This provides more
information about cyber attacks, but the most valuable information can
be collected at the honeypot itself — within the guest virtual
machine. If we are able to closely monitor this system, we can, for
example, observe what the attacker is typing, which tools he is
executing and how he is escalating his privileges. Here is another
example of why we must closely monitor the virtual honeypot: Imagine
that the attacker uses an encrypted session via SSH to connect to the
honeypot. If he then downloads additional tools via an SSL-encrypted
website, the network dumps collected at the guest system are pretty
useless. Since the complete session is encrypted and we do not know
the correct key to decrypt the network stream, the tcpdump logs are
rather useless to us. However, if we can observe the keystrokes and
everything else at the honeypot itself, we can see which commands the
attacker executes within the SSH session and which tools he downloads
from the SSL-encrypted website. This way we can learn more about his
procedures and study the attacker in more detail.

This excerpt is from “Virtual Honeypots – From Botnet Tracking to Intrusion Detection”. It’s pretty old and it sugests I use a program called Sebek to do what it says in the excerpt.

Sebek is pretty old and I can’t find it in the link given by the book (http://www.honeynet.org/tools/sebek).

Is there any modern (and preferably free) software that will do this?

Alternatively, could I use some open source virus or create something with, for example, Metasploit that will do this?

Thanks in advance.

Continue reading Software to monitor everything that happens in Honeypot, or is there an equivalent of Sebek? [on hold]

Honeypots and the Internet of Things

According to Gartner, there are currently over 6 billion IoT devices on the planet. Such a huge number of potentially vulnerable gadgets could not possibly go unnoticed by cybercriminals. As of May 2017, Kaspersky Lab’s collections included several thousand different malware samples for IoT devices, about half of which were detected in 2017. Continue reading Honeypots and the Internet of Things