Onion Routing

Onion routing is a routing technology used to ensure the privacy of its users, where each node only has partial information about the route of the packets. A service sponsored by the Electronic Frontier Foundation called Tor is an implementation of this concept. Tor is a design of randomly selected, encrypted tunnels that acts as a proxy for client applications, such as web browsers. The honeynet was able to identify only 40 (.01%) attacks making use of the Tor service.

Of the seven unique attacks using Tor, there were only two worth noting. The others simply reached the honeypot and took no further action. The first attack traversed four honeypots, and attempted nothing more malicious than exploring the filesystems and attempting to create a hidden directory. The attacker discovered the honeypots using Google, using the query "inurl:phpshell.php filetype:php". The second attack only touched one honeypot on the honeynet, and attempted to retrieve a 'config.php' file. Applications written in PHP commonly include a 'config.php' file, which usually contains passwords or sensitive information regarding the application. In the case of PHPShell, the config.php file includes usernames and passwords as well
as some other configuration information.

2006-11-17 06:29:49 Signatures: Known Search Engine: google.com;
Referrer: http://www.google.com/search?q=inurl:phpshell.php;filetype:php
2006-11-17 06:29:58 ps ax;
2006-11-17 06:30:07 uname -a;
2006-11-17 06:30:24 cd /tmp;
2006-11-17 06:30:43 cd /tmp;
2006-11-17 06:30:47 ;
2006-11-17 06:30:55 ls;
2006-11-17 06:31:04 mkdir .sec;
2006-11-17 06:31:07 ls;
2006-11-17 06:31:17 cd .sec;
2006-11-17 06:31:28 cd /var/tmp;

Figure 4. Example session from an attacker using Tor