- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
The honeynet deployed and analysed by the UK Honeynet Project in the second phishing incident was a high interaction research honeynet deployed in a UK ISP data centre during August 2004.
The UK Honeynet deployment was similar in broad outline to the German honeynet configuration detailed above, being composed of a number of physical honeypots running default installations of common UNIX operating systems on Intel and Sparc hardware. The Honeynet Projects Honeywall bootable CDROM was used for data control, providing a transparent bridging iptables firewall and using network connection rate limiting plus the snort-inline IPS to restrict outbound attack traffic. Another snort IDS provided data capture in binary pcap format, along with snort and snort-inline alerting and automated daily script based data analysis.
Individual honeypots were hosted behind the Honeywall gateway, connected to an Ethernet hub, and the Honeynet project's Sebek loadable kernel module was covertly installed and enabled on each honeypot to allow full keystroke logging. All network traffic to and from the honeypots was logged in pcap format, as were any keystrokes recorded using Sebek. Any compromised hosts were eventually taken off line and imaged for later forensic examination.
The RedHat Linux 7.3 server on Intel hardware honeypot that was compromised and used to host a phishing attack was a default CDROM based installation with a number of common network services such as Apache and samba enabled and left un-patched.
Again, a timeline of the incident is given:
|Date / Time||Event|
|17/08/04||First data from honeypot|
|Honeypot samba server compromised. Various IRC tools, backdoors and mass scanners installed by multiple groups|
|19/08/04||Attackers check result of network scans|
|20/08/04||New attackers compromise honeypot|
|22/08/04||More scanning activity|
|Phishers arrive through back door set up by initial attackers and set up phishing website|
|First web traffic arrives at web server for phishing site|
|Honeypot disconnected for forensic analysis|