WhY The "Google Hack" Honeypot-GHH?GHH is a reaction to a new type of malicious web traffic: search engine hackers. GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources. GHH implements honeypot theory to provide additional security to your web presence.
What is a honeypot?A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:“An information system resource whose value lies in unauthorized or illicit use of that resource.”Simply put a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers.GHH allows administrators to track malicious hosts: observe who is perpetrating the attack and how it is being executed via the log. The data generated by this, or any other honeypot can be used to deny future access to attackers, notify service providers of attacks originating from their networks or act as an input for statistical analysis.
What are search engine hackers and why should I care?Google has developed a powerful tool. The search engine that Google has implemented allows for searching on an immense amount of information. The Google index has swelled past 8 billion pages [February 2005] and continues to grow daily. Mirroring the growth of the Google index, the spread of web-based applications such as message boards and remote administrative tools has resulted in an increase in the number of misconfigured and vulnerable web apps available on the Internet.These insecure tools, when combined with the power of a search engine and index which Google provides, results in a convenient attack vector for malicious users. It is in your best interest to be knowledgable of, and protect yourself from this threat.
What kind of damage can be done?A simple query on the Google search engine can reveal improperly secured sensitive data:Search: “# -FrontPage-” inurl:service.pwdThis simple search string will return plain text passwords for administrative access via Microsoft's FrontPage. A misconfiguration in the FrontPage software and web server results in this sensitive information to be available to anyone who either constructs the search string, or visits an online database of malicious search strings. There are hundreds of similar search engine hacks. A lack of foresight into security issues in web applications are to blame.
Why should I implement Google Hack Honeypot on my site?GHH allows you to safely monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.How does Google Hack Honeypot work?Reference http://ghh.sourceforge.net/introduction.php for details on the intersection of the theoretical/practical concerns which drive GHH.