I’m still wrestling with the best way to represent the data from my Honeypot experiment. The plan is to create a color-code map to represent the data in different ways. I’m looking at software like GMT (Generic Mapping Tools) and Quantum GIS which uses the formidable GRASS open-source GIS system. I’ve even started dumping data into Google Base (more on this in an upcoming article) just to explore that as an option since it heavily tied into Google Maps. Regardless, I have not settled on a presentation format for the data. Once I do, i’ll start updating it regularly. “The Experiment” is so interesting to me that I’ve decided to continue the honeypot and perhaps even launch more honeypots.
Until i’ve settled on a presentation format, i’m simply going to post some of the statistics here.
| Country |
Percent |
| United States |
37% |
| United Kingdom |
10% |
| Brazil |
6% |
| Germany |
5% |
| Morocco |
3% |
| Russian Federation |
3% |
| Spain |
3% |
| Mexico |
2% |
| Australia |
2% |
| Canada |
2% |
| Sweden |
2% |
| Other |
26% |
Hacking Attempts by Country of Origin
I’ve now been running my honeypot for some period of time and while i’m not sure what conclusions you can draw from the results, I can certainly say they are interesting. Over the course of the next week, i’m going to be posting the results of the analysis of the log files and hacker tracking system that I installed for the purpose of this experiment. I’ll include summaries of the types of attacks (see chart below), countries of origin, persistence (how many attempts were made by a single hacker), and hacker CQ (cleverness quotient). The CQ is a measure of both the methods and types of attacks by a single hacker including analysis of probes, whether they attempted to cover their tracks using a proxy and whether they actually did cover their tracks by using an anonymous proxy.
More to come…
A couple of months ago, I started an experiment with honeypots. The goal was not to trap or track hackers but to gather statistics for newbies. The first step involved setting up the site and getting it listed in the search engines. That turned out to be no easy task since the best search engines actually require you to have real content on your site before you get listed in any significant way. After accomplishing this, my honeypot is now gathering statistics that are starting to be interesting. I’m still gathering these and determining a useful and interesting way of reporting them, but here is an initial dump of the keywords used to find the various honeypots i’ve set up. More to come…
| Keywords |
% Hits |
| inurl passlist.txt |
20.50% |
| powered by phpfm filetype php -username |
17.60% |
| filetype php haxplorer server files browser |
11.70% |
| passlist ext txt |
8.80% |
| inurl passlist.txt filetype txt |
5.80% |
| inurl passwd.txt |
5.80% |
| passlist.txt |
2.90% |
| inurl passwd filetype txt |
2.90% |
| inurl passlist filetype txt |
2.90% |
| ext blt screenname |
2.90% |
| phpshell by macker |
2.90% |
| enter ip inurl php-ping.php |
2.90% |
| inurl accounts filetype sql |
2.90% |
| inurl passlist.txt -hack |
2.90% |
| phpfm 0.2.3 |
2.90% |
| inurl passlist.txt | inurl passwd.txt filetype txt |
2.90% |