During the month of June the following information was obtained from Glastopf installations worldwide

Geographical spread

10 most popular injected files during the period

Short introduction to RFI:

“Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as: Code execution on the web server .. “ source: Wikipedia

During the month of April the following information was obtained from Glastopf installations worldwide

Number of alert for the period: 1325919

Filenames (RFI) - 10 most common during the period:

Hashes - 10 most common during the period:

Specifically newsworthy event: Ping back”

pingback.ping, which is a legit WordPress feature is misused to DoS victims using legit WordPress sites.

During the month of May the following information was obtained from Glastopf installations worldwide

Number of alert for the period: 1859863

Filenames (RFI) - 10 most popular during the period:

Hashes - 10 most popular during the period:

Ping back

pingback.ping, which is a legit WordPress feature misused to DoS victims using legit WordPress sites.

We where glad to announce yet another tool during our annual workshop in San Francisco. Glaspot is the third version of the web application honeypot Glastopf and it come with some very powerful new features:

• A build-in PHP sandbox for code injection emulation, allowing us to bring vulnerability emulation to a new level
• Hooked up to the HPFeeds generic data feed system for centralized data collection and tight integration into our sandbox and web server botnet monitoring system
• Modular implementation: Turn your web application into a honeypot with a few easy steps
• Runs in his own lightweight Python server or as a WSGI module in common web server environments
• Automated attack surface generation and expansion

In the next three months we are working on even more exciting new features and a much stronger integration into our web thread analysis platform.
Additionally Phani Vadrevu got accepted as a Google Summer of Code student to help us with additional improvements like request classification based on attacker profiling, hardening the internal sandbox and extending the attack surface. Details can be found in his project description: Glastopf Improvements.

Before we are getting worse than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG!

Today we find web applications in every environment independent of company size and even in home networks. Over web attack vectors like SQL Injections and Remote File Inclusions, criminals can overtake web servers which than become part of a botnet or even a command and control server. Web servers are specially interesting for such tasks as they normally have bigger bandwidth than client computers and mostly an uptime of nearly 24 hours, seven days a week. This makes a hacked web server a dangerous weapon in the hands of a criminal.

Today I make a retrospection on my work on the Glastopf Web Honeypot during the Google Summer of Code Program. My goal was to push forward the development on a Honeypot for an attack vector in web security which is really underestimated in current discussions. The main objectives could be merged into one intention: Increasing our attractiveness and answering every request as close as possible to a real world system. This got achieved with the new PHP file parser and the dynamic Google dork list which we provide for the Google crawler.
Since the past three months, we also collected a lot of attacks. Actually we have around 1.27 million unique attacker IP and requested vulnerability combinations in our database. In total we have something above 14 million hits on our three deployed sensors. We also collected the vulnerabilities which got triggered by the attacker. Currently we have more than 30 thousand different vulnerabilities in the database! So there is a lot of noise out there to catch :)
For the coming months after the Google Summer of Code program I’m looking forward to finish the integration of Glastopf in the SURFids environment (a plugin is already done), and further steps into the improvement of the PHP file parser. There are also plans on analyzing the collected PHP bots and botnets.
So the program was real fun and I’ve learned a lot during this summer. I’m looking forward to increase the already existing knowledge from the Honeynet Project on web app security and the methods used by the attackers!

The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.

Last saturday I’ve finally released a new Glastopf version. There are some new features and many changes under the hood.

New implemented features:

LFI (Locale File Inclusion) handler: He is back! I have lost him somehow during coding and now he has his own handler. I am looking forward to get some data for attack method comparison. Furthermore he is one possible first layer for RCE (Remote Code Execution) attacks. So I am also curious if I’m catching some of those attacks.

Hello, this initial blog post is used to introduce me and to provide a brief overview of my GSoC Project.

My name is Lukas Rist (my personal blog) and I am currently studying Math and Physics at the University of Kaiserslauter in Germany. This is my first time in GSoC and I will be working with Thorsten Holz on Glastopf, a Web Application Honeypot.

Glastopf is a minimalistic web server emulator written in Python. The honeypot tool collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks.