informa
/
Announcements
Report
Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top of Mind | <READ IT NOW>
Event
Malicious Bots: What Enterprises Need to Know | August 30 Webinar | <REGISTER NOW>
Event
How Supply Chain Attacks Work – And What You Can Do to Stop Them | August 17 Webinar | <REGISTER NOW>
PreviousNext
Risk
2 min read
article

SANS Honeypot Shows Prevalence Of Web Attacks

The recent New York Times malvertisement attack helped bring mainstream media attention to the problem of popular, legitimate Websites being compromised and used as the source of Web-based malware attacks. What would probably shock those same people is how often Websites are attacked.
John H. Sawyer
Contributing Writer, Dark Reading
September 21, 2009
The recent New York Times malvertisement attack helped bring mainstream media attention to the problem of popular, legitimate Websites being compromised and used as the source of Web-based malware attacks. What would probably shock those same people is how often Websites are attacked.Recent information from the SANS Internet Storm Center (ISC) Web Honeypot project helps shed some light on such attacks. A Web Honeypot project's goal is to monitor and learn from large-scale automated Web attacks. The data is pretty interesting and can give you a peek at the types of attacks that Websites come under every day -- info you might not necessarily see unless you're a Web server admin or in an IT security position.

But other information can be gleaned from the published data, as well. For example, I was looking through the "distinct URL list" and was able to identify numerous legitimate sites that had been compromised, including sports, church, and corporate Websites.

The most obvious trend I saw (after visiting a few of the URLs in the logs) was that most of the compromised sites are primarily Asian sites that host a text file containing PHP code. The attacks target remote "file include" vulnerabilities in PHP Web applications. These vulnerabilities, when exploited, accept files hosted on other servers and interpret them locally on the victim Web server in order to gain remote control of the application, or sometimes the Web server itself.

The Web Honeypot project has the potential to provide the security community with some very useful data on attack trends, but it needs volunteers to contribute Web logs. Take a look at the project's site for more information on how to contribute.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports
Editors' Choice
Average Data Breach Costs Soar to $4.4M in 2022
Robert Lemos, Contributing Writer, Dark Reading
In a Post-Macro World, Container Files Emerge as Malware-Delivery Replacement
Jai Vijayan, Contributing Writer, Dark Reading
Don't Have a COW: Containers on Windows and Other Container-Escape Research
Ericka Chickowski, Contributing Writer, Dark Reading
Why Layer 8 Is Great
Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5
Webinars
More Webinars
White Papers
More White Papers
Events
More Events
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports