Greg Foss [dot] com

Application & Network Security Specialist



Simple phpMyAdmin Honeypot


Before I start, if you are in-fact running phpMyAdmin on your site and it is publicly accessible, this is bad...

Download on GitHub: PHP_Honeypot_v1.tar.gz
Try it out: http://gregfoss.com/phpmyadmin/
View the Readme for more information: README

After looking around the internet for a basic honeypot that would track user IP's and fire off e-mails when people attempt to attack my website, I didn't see any that really fit my needs. So I decided to create one... I had no real need to study successful attacks in detail and just wanted something that was quick to make and easy to maintain. In all honesty, my goal was mainly to mess with people who poke around my site. That being said; I settled on creating a low-interaction honeypot as opposed to a high interaction honeypot which is basically a vulnerable application with built in surveillance. I know many people will not consider this a "true honeypot" since it really isn't, but it does track users and what attempts they make on my "administrative interface". So, for the sake of this post, I'm just going to call it a honeypot. :-P





To start... I added the directory /phpmyadmin/ to the disallow list within my robots.txt file so that it would not be picked up by web crawlers. Then I downloaded a current version of phpMyAdmin and removed everything except for the pieces I planned to use. Including the actual database because I did not want to create a real hole into my site or have to actively manage something. What I was left with was the default login PHP page with all references to my actual site and database removed, I replaced the help features page with a local cloned version of the original and the reset password feature was replaced with a JavaScript alert box. Then I added a PHP script to log IP addresses that hit the site as well as the date and time that they stopped by.




//Log User IP addresses
<?php
     $page = $_SERVER['SCRIPT_FILENAME'];
     $ipaddress = $_SERVER['REMOTE_ADDR'];
     $date = date ("M dS H:i:s");
     $message = "$page _ $ipaddress _ $date\n";
     $File = "somepath/somefile.txt";
     $Open = fopen($File, "a+");
     if ($Open){
          fwrite($Open, "$message");
          fclose ($Open);
     }
?>

After making the necessary changes to the main page, I created a file to store the logs and modified the permissions to allow write access to the PHP script and disallow unauthorized access. Surprisingly, within the first week of having this in place, I received many more hits than I thought I would. Also important to note - all of the hits below are from unique IP addresses within a 5-day span.





Now, to get the site to fire off e-mails when people attempt to log in... I downloaded and modified an installation of tectite formmail, available here: http://www.tectite.com/ and renamed the formmail.php file to login.php. Then it's as simple as following the instructions and modifying the login.php script as necessary. Below is a custom message that I have show up when users attempt to log in:





Once users log in I receive an alert by e-mail with the attempted username, password, IP, user agent, etc. Below is one login attempt:





Pretty simple but surprisingly effective. Thanks for reading :-)
If you have suggestions or comments please feel free to shoot me a message.