Global Glastopf statistics for June 2014

08 Aug 2014 Mikael Keri glastopf logs reports statistics
During the month of June the following information was obtained from Glastopf installations worldwide Geographical spread 10 most popular injected files during the period Short introduction to RFI: “Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.

Global Glastopf statistics for April 2014

16 Jul 2014 Mikael Keri glastopf logs report statistics
During the month of April the following information was obtained from Glastopf installations worldwide Number of alert for the period: 1325919 Filenames (RFI) - 10 most common during the period: Specifically newsworthy event: Ping back” pingback.ping, which is a legit WordPress feature is misused to DoS victims using legit WordPress sites. URL describing the issue: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed- denial-of-service-attack.html Method: pingback.pinghttp://victim.com www.anywordpresssite.com/postchosenparam>' Extent: We started monitoring this event, late into the month. But even so, the top 10 victim sites was hit with a total of 13441 requests.

Global Glastopf statistics for May 2014

16 Jul 2014 Mikael Keri glastopf logs reports statistic
During the month of May the following information was obtained from Glastopf installations worldwide Number of alert for the period: 1859863 Filenames (RFI) - 10 most popular during the period: Ping back pingback.ping, which is a legit WordPress feature misused to DoS victims using legit WordPress sites. URL describing the issue: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html Method: pingback.pinghttp://victim.comwww.anywordpresssite.com/postchosen' Extent: During may we collected 37705 pingback.ping request targeting various sites. This month it were sites that was facilitating DDoS attacks that was in focus, most likely from competition.

Glastopf v3 released

02 May 2012 Lukas Rist botnet-monitoring glastopf google-summer-of-code gsoc hpfeeds release sandbox web-server-botnet
We where glad to announce yet another tool during our annual workshop in San Francisco. Glaspot is the third version of the web application honeypot Glastopf and it come with some very powerful new features: A build-in PHP sandbox for code injection emulation, allowing us to bring vulnerability emulation to a new level Hooked up to the HPFeeds generic data feed system for centralized data collection and tight integration into our sandbox and web server botnet monitoring system Modular implementation: Turn your web application into a honeypot with a few easy steps Runs in his own lightweight Python server or as a WSGI module in common web server environments Automated attack surface generation and expansion In the next three months we are working on even more exciting new features and a much stronger integration into our web thread analysis platform.

GlastopfNG release

15 Oct 2010 Lukas Rist glastopf glastopng web-honeypot
Before we are getting worse than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG! Today we find web applications in every environment independent of company size and even in home networks. Over web attack vectors like SQL Injections and Remote File Inclusions, criminals can overtake web servers which than become part of a botnet or even a command and control server.

Glastopf retrospection

10 Aug 2009 Lukas Rist glastopf webhoneypot
Today I make a retrospection on my work on the Glastopf Web Honeypot during the Google Summer of Code Program. My goal was to push forward the development on a Honeypot for an attack vector in web security which is really underestimated in current discussions. The main objectives could be merged into one intention: Increasing our attractiveness and answering every request as close as possible to a real world system. This got achieved with the new PHP file parser and the dynamic Google dork list which we provide for the Google crawler.

Glastopf's new vulnerability emulator

22 Jul 2009 Lukas Rist glastopf parser webhoneypot
The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.

Improving Glastopf

15 Jun 2009 Lukas Rist glastopf honeypot
Last saturday I’ve finally released a new Glastopf version. There are some new features and many changes under the hood. New implemented features: LFI (Locale File Inclusion) handler: He is back! I have lost him somehow during coding and now he has his own handler. I am looking forward to get some data for attack method comparison. Furthermore he is one possible first layer for RCE (Remote Code Execution) attacks. So I am also curious if I’m catching some of those attacks.

Introducing Glastopf, a Web Application Honeypot

27 May 2009 Lukas Rist glastopf gsoc honeypot
Hello, this initial blog post is used to introduce me and to provide a brief overview of my GSoC Project. My name is Lukas Rist (my personal blog) and I am currently studying Math and Physics at the University of Kaiserslauter in Germany. This is my first time in GSoC and I will be working with Thorsten Holz on Glastopf, a Web Application Honeypot. Glastopf is a minimalistic web server emulator written in Python.