Improving Glastopf

15 Jun 2009 Lukas Rist glastopf honeypot

Last saturday I’ve finally released a new Glastopf version. There are some new features and many changes under the hood.

New implemented features:

LFI (Locale File Inclusion) handler: He is back! I have lost him somehow during coding and now he has his own handler. I am looking forward to get some data for attack method comparison. Furthermore he is one possible first layer for RCE (Remote Code Execution) attacks. So I am also curious if I’m catching some of those attacks.

IRC logging module: This is a request/response bot. The request gets translated into a MySQL query whose results are replied to the requester.

Twitter logging module: Now the Twitter module is integrated into Glastopf. It’s fun to lean back and watch him doing his work!

Important changes in existing modules:

Dynamic dork list: I am collecting unknown dorks from attacks against the Honeypot since a while and someday I thought it would be fun to serve them all to the search engine crawlers. So I generated a list containing 17k (a still growing number) dorks. This noticeably raised the number of hits against the Honeypot.

Plans for the next two weeks:

The central database lacks an easy to handle and public shareable interface.

The vulnerability database needs some cleanup and the collected data should be analyzed.

I am planning some geolocation analysis of the attacker IPs.

Glastopf’s vulnerability emulator is one of the central parts when handling attacks. I’ve improved the concept and a first version is finished and will be implemented during the next weeks.