This month's challenge is to analyze web server log files looking for signs of abuse. The Honeypots: Monitoring and Forensics Project deployed an Apache web server that was configured as an Open Proxy. Your job is to analyze the log files and identify/classify the different attacks (trust me, there are a surprising number of them :). All entries are due Friday, 30 April. Results will be released Friday, 7 May. Find the rules and suggestions for submissions at the SotM Home Page.

The Challenge:
Open Proxy servers are a big problem on the Internet. Not only can an improperly secured proxy server expose your internal network to attack (yes, you heard me right, attackers can leverage unsecured proxy servers to identify/connect to internal systems Lamo's Adventures in WorldCom), but also these systems are used to obscure the true origin of web-based attacks. In order to gather data on these types of attack channels, the Honeypots: Monitoring and Forensics Project deployed a specially configured Apache web server, designed specifically for use as a honeypot open proxy server or ProxyPot. Please review the honeynet whitepaper entitled Open Proxy Honeypot for in depth details of the configurations. This paper will provide important background information to aid in your analysis of the SoTM data. As a reference we provide the following key to data:

a. Honeynet Web Server Proxy IP sanitized to: 192.168.1.103
b. Honeynet Web Server Proxy Hostname sanitized to: www.testproxy.net

Download the Image (25 MB)
c36d39dfd5665a58d7cea06438ceb96d apache_logs.tar..gz

Questions

1. How do you think the attackers found the honeyproxy?
2. What different types of attacks can you identify? For each category, provide just one log example and detail as much info about the attack as possible (such as CERT/CVE/Anti-Virus id numbers). How many can you find?
3. Do attackers target Secure Socket Layer (SSL) enabled web servers as their targets? Did they target SSL on our honeyproxy? Why would they want to use SSL? Why didn't they use SSL exclusively?
4. Are there any indications of attackers chaining through other proxy servers? Describe how you identified this activity. List the other proxy servers identified. Can you confirm that these are indeed proxy servers?
5. Identify the different Brute Force Authentication attack methods. Can you obtain the clear text username/password credentials? Describe your methods.
6. What does the Mod_Security error message "Invalid Character Detected" mean? What were the attackers trying to accomplish?
7. Several attackers tried to send SPAM by accessing the following URL - http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They tried to send email with an html attachment (files listed in the /upload directory). What does the SPAM webpage say? Who are the SPAM recipients?
8. Provide some high level statistics on attackers such as:
   - Top Ten Attackers
   - Top Ten Targets
   - Top User-Agents (Any weird/fake agent strings?)
   - Attacker correlation from DShield and other sources?
   

Bonus Question:

• Why do you think the attackers were targeting pornography websites for brute force attacks? (Besides the obvious physical gratification scenarios :)
• Even though the proxypot's IP/Hostname was obfuscated from the logs, can you still determine the probable network block owner?

The Results:
This months challenge image and questions are lead by Ryan Barnett. You can find Ryans writeup here.

Writeup from the Security Community

Top 2

• Frank Meerkoetter
• Ken Lee

Next 4

• Doug Brown and Eric Clore
• Tina Stelmack (ITT Class)
• Christophe Grenier
• Dophine Britanico