There is a great tutorial about how to setup an Amun honeypot using Debian Lenny at botnetz.com.
It is writte in german but it should be easy to guess what to do even if you don´t understand german.
The main parts are covered, so for those who want to get started it is very helpful. Thanks Duke for the great tutorial!
Update: An english version is available as of recently: here
While thinking about current remote file inclusion (rfi) honeypot solutions, we came to the conclusion instead of providing a honeypot for download, install and configuration for system administrators how about redirecting rfi requests to our already running honeypots.
If you are interested in sharing remote file inclusion requests hitting your webserver with us, you can use the following .htaccess file:
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} (.+=http:\/\/.+)
RewriteRule ^(.+)$ http://link.informatik.uni-mannheim.de/$1?%1 [R,NC]
The script checks for any variables in the GET request of a client, if an URL is given as parameter (RewriteCond). In case this is true the request is redirected to our webserver (RewriteRule). If you have any question, comments or suggestions do not hesitate to contact us.
i am thinking about a honeypot experiment to detect if attacks are really global or more local. For this reason i wrote a log-experiment module for the amun honeypot, for those willing to participate. The module writes a log file similar to the exploit.log but without the IP address of the attacked host, thus the information stored are the attacker IP, the destination Port, the vulnerability exploited and the download URL found in the shellcode.
For those who want to participate i would like you to install amun and the log module and collect data for a couple of weeks and then send me the created logs of the log-experiment module. Other honey
pot solutions are welcome as well, as long as they provide similar data.
To participate just write me an email to zero-q @ iname.com. It would be great if you can tell me at
least the country where the honeypot is positioned, so i can determine how "global" the evaluation
will be in the end. Thanks.
Powered by kulando