Interested in
running GHH? Great! This is a simple guide to getting you on the ground
and running. Please reference the official User Manual located on the
sourceforge project site for the most up to date version of this
procedure.
How do I install GHH?
Prerequisites to installation: A web
server running Apache and PHP.
Downloading GHH: The latest version of
GHH will be available at the official project website located at
http://ghh.sourceforge.net. There will be many honeypots available to
implement.
Choosing a Honeypot to implement: The
Download site offers
multiple types of honeypots to emulate different types of GHDB signatures.
You can pick one from the official GHH site, or follow the directions in
the “Custom Honeypot” section of this document to create your own. By
picking or creating a honeypot for a web application that is recently
discovered to be vulnerable, or otherwise less-well-known, there is less
chance of your honeypot being avoided by search engine hackers.
Installating GHH: Follow these steps
to install GHH onto your server: 1. GHH should be unzipped into a
folder that is not in the document root of your web server. 2. A file
should be created for your GHH log, anywhere but your document root.
Example: /apache/ghhlog.csv Not: /apache/htdocs/ghhlog.csv (if access
to folders that aren’t in the document root isn’t available, use a
password protected folder, covered with .htaccess) 3. Continue to
configuration section.
Global Configuration for GHH: Inside
of the uncompressed installation package locate config.php. This file
includes one variable that need to be changed in order for GHH to
work:
Change the $Filename variable to contain the path to your
log file you created in 2.4.2. Change the $RegisterGlobals variable to
'false' if you require register_globals to be on in the server's php.ini
(or if you are getting a blank page when viewing the honeypot file).
Per-Honeypot Configuration: There is a
README.txt file in the folder you unzipped into your web server. Because
different honeypots may have different configuration instructions, this
file is necessary for each seperate honeypot. README.txt contains
instructions to setup the particular honeypot, and may be intricate
depending on the complexity of the honeypot being implemented. (i.e. a
phpBB honeypot) Open the README.txt file in the file you downloaded, and
follow it’s configuration instructions.
Getting GHH indexed: In order for the
honeypot to work it must be visible to search engines. There are different
ways to accomplish this task. The GHH team recommends setting up a secret
hyperlink in the HTML of a page of your site. Add a link to a page that is
currently indexed by Google, or other search engines like so:
<a
href=http://yourdomain.com/honeypot.php>.</a>
Where the “.” is the same color as the background of the
page. This invisible link directs search engines to crawl the page, but
regular viewers of your site will not notice or visit the link.
There are other options that will get the honeypot indexed
including image tag inclusion:
<img
src=”http://yourdomain.com/honeypot.php” width=”0” height=”0”>
Now that the honeypot has been linked to it is time to set
$SafeReferer variable. Set this var equal to the page that the honeypot is
linked from.
$SafeReferer is used to detect when someone clicks the
hidden hyperlink. This variable links with the “Crawler Detected” alert
used in the logs. It signifies one of three things. 1. A search engine
indexed the link. 2. An innocent browser found the link and clicked
it. 3. The link was crawled with a tool like wget or an offline
browser.
These hits are more than likely a false-positives. GHH
will look at the “HTTP_REFERER” header and determine if a browser came
from the $SafeReferer.
Search engines will not index your site immediately.
Their spiders take time.
Extra Help If you have written any
extra documentation or discovered new honeypot/Google hacking tactics,
forward them to soda_popinsky@users.sourceforge.net and we will link them
here.
Online Installation Flowchart Custom Honeypot Tutorial (AntiOnline) Advanced Transparent Linking
|