SANS Honeypot Shows Prevalence Of Web Attacks

The recent New York Times malvertisement attack helped bring mainstream media attention to the problem of popular, legitimate Websites being compromised and used as the source of Web-based malware attacks. What would probably shock those same people is how often Websites are attacked.

John H. Sawyer, Contributing Writer, Dark Reading

September 21, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

The recent New York Times malvertisement attack helped bring mainstream media attention to the problem of popular, legitimate Websites being compromised and used as the source of Web-based malware attacks. What would probably shock those same people is how often Websites are attacked.Recent information from the SANS Internet Storm Center (ISC) Web Honeypot project helps shed some light on such attacks. A Web Honeypot project's goal is to monitor and learn from large-scale automated Web attacks. The data is pretty interesting and can give you a peek at the types of attacks that Websites come under every day -- info you might not necessarily see unless you're a Web server admin or in an IT security position.

But other information can be gleaned from the published data, as well. For example, I was looking through the "distinct URL list" and was able to identify numerous legitimate sites that had been compromised, including sports, church, and corporate Websites.

The most obvious trend I saw (after visiting a few of the URLs in the logs) was that most of the compromised sites are primarily Asian sites that host a text file containing PHP code. The attacks target remote "file include" vulnerabilities in PHP Web applications. These vulnerabilities, when exploited, accept files hosted on other servers and interpret them locally on the victim Web server in order to gain remote control of the application, or sometimes the Web server itself.

The Web Honeypot project has the potential to provide the security community with some very useful data on attack trends, but it needs volunteers to contribute Web logs. Take a look at the project's site for more information on how to contribute.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

About the Author

John H. Sawyer

Contributing Writer, Dark Reading

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights