Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Web server survival time research - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Web server survival time research

Lately, I have been writing new labs for an update version of my DEV 422 Defending web app course. One of the labs is about log analysis, so naturally, I would want to get some really cool and neat logs for my students. As some of you may know, I help run the Web honeypot project so I have access to tons of logs but it would be much more interesting to see logs from real systems and real compromise.

I decided to setup my high interaction honeypot using a real system and lots of monitoring and limiting outbound control. My platform of choice? Windows 2000 fully unpatched box running IIS and having only port 80 exposed. I put that on a typical DSL connection and waited...

The wait was very long. At some point, I wondered if the box is even accessible so I got a few other handlers to check out accessibility for me and they have all proven that the W2K box works (fully unpatched too, unicode traversal is great for testing).

I waited and waited; 2 weeks passed by, nothing happened. My box was not compromised at all. There were a total of 8 scanning attempts but they look random and no one ever did anything harmful.

I suppose my actions raised more questions than answers,

- Does attackers stay away from the DSL ranges while scanning for web flaws? My other servers get much more scanning attempts.

- Are any bad guys scanning thru the whole Internet looking for infrastructure type of flaws anymore? Application flaws are so much more common.

Your thoughts are welcomed..... Write in to us via Email or leave us comments.

P.S. If you have cool web app compromise logs for donation, please write in via the contact form. Many thanks.

Jason Lam,

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cloud & DevOps 2022


93 Posts
ISC Handler
Jun 17th 2009
Perhaps a box just standing there with no traffic flowing to it is not desireable? I had done something similar a few years back. Had a Win2k box on the net for a year. No luck with attracting any nasties.

32 Posts
My own logs show a lot more application attack than OS attacks these days. Try putting PHPBB 2.0.0 on your system and start counting.
16 Posts

Sign Up for Free or Log In to start participating in the conversation!