The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.
Here a simple example:
The injected file:
Looks very simple? But what about Uname, Kernel, UNAME or even zname (Noticed the typo? Remember, they are just kids ;) )? So another goal is to leave pattern matching behind and invest some time and sweat into a cleverer parser.
Things are getting even more complicated when echo calls occurring in functions. A simple example:
The new parser I'm using with Glastopf is able to recognize functions with echo calls and parses all calls of this function. Here is a pseudo example how this works:
So as you see, I'm going to rewrite the PHP parser :) Just kidding, but I will use the next days to replace the variable replacement through pattern matching with a much more generic and powerful approach. I have committed a preliminary version of the new parser into SVN, actually you can choose between the old and clumsy and the new anbrainy parser.
Last but not least I invite you all to play around, comment and rewrite my Honeypot. Most parts are already finished and functional.