1## 2# This file is part of WhatWeb and may be subject to 3# redistribution and commercial restrictions. Please see the WhatWeb 4# web site for more information on licensing and terms of use. 5# http://www.morningstarsecurity.com/research/whatweb 6## 7# Version 0.3 # 2011-05-06 # 8# Added support for HAXPLORER, phpSysInfo, PHPFM, SquirrelMail and wwwboard passwd.txt 9## 10# Version 0.2 # 2011-01-23 # 11# Updated version detection 12## 13Plugin.define "Google-Hack-Honeypot" do 14author "Brendan Coles <bcoles@gmail.com>" # 2010-06-13 15version "0.3" 16description "Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. This plugin identifies the following GHH modules: php-ping, HAXPLORER, phpSysInfo, PHPFM, SquirrelMail, wwwboard passwd.txt" 17website "http://ghh.sourceforge.net/" 18 19# This plugin identifies hard-coded strings in GHH modules. 20# Most GHH templates only use random number generation to appear legitimate. 21# Matches were chosen based on hard-coded strings which were least likely: 22# to provide false positives 23# to have been modified by the admin 24# Dates and filenames are used in favor of HTML comments and version numbers 25# in order to reduce false positives. 26 27 28 29# Matches # 30matches [ 31 32 # PHP-Ping # GHDB Signature 733 33 # ("Enter ip" inurl:"php-ping.php") 34 35 # A real PHP-Ping install doesn't default to 127.0.0.1 36 { :module=>"PHP-Ping", :regexp=>/<title>The WorldsEnd.NET - Free Ping Script, written in PHP<\/title><\/head><body bgcolor="#FFFFFF" text="#000000"><\/body><p><font size="2">Your IP is: [\d\.]*<\/font><\/p><form methode="post" action="[^\"]*"> Enter IP or Host <input type="text" name="host" value="127.0.0.1"><\/input> Enter Count <input type="text" name="count" size="2" value="4"><\/input> <input type="submit" name="submit" value="Ping!"><\/input><\/form><br><b><\/b><\/body><\/html>/ }, 37 38 39 # HAXPLORER # GHDB Signature 833 40 # (filetype:php HAXPLORER "Server Files Browser") 41 42 # Link URL: <a href="1.php?cmd=dir&dir=./."> 43 # Defaults to Thursday: Thu 0 44 { :module=>"HAXPLORER", :regexp=>/<tr><td NOWRAP class="top left right"> <a href="1\.php\?cmd=dir&dir=\.\/\.">\[\.\]<\/a> <\/td>\n<td NOWRAP class="top right"><center> \n <\/center><\/td>\n<td NOWRAP class="top right"> <\/td>\n<td NOWRAP class="top right"> \n<strong>D<\/strong><strong>R<\/strong><Strong>X<strong> <\/td>\n<td NOWRAP class="top right" NOWRAP>\n Thu 0\d/ }, 45 46 47 # phpSysInfo # GHDB Signature 161 48 # (inurl:phpSysInfo/ "created by phpsysinfo") 49 50 # Default created by date: phpSysInfo-2\.3<\/a> on Feb 11, 2005 51 { :module=>"phpSysInfo", :regexp=>/<input type="submit" value="Submit"><\/form><\/center><hr>Created by<a href="http:\/\/phpsysinfo\.sourceforge\.net"> phpSysInfo-2\.3<\/a> on Feb 11, 2005 at <br>/ }, 52 53 54 # PHPFM # GHDB Signature 361 55 # ("Powered by PHPFM" filetype:php -username) 56 57 # index.php and readme.txt are the only two files listed 58 # Size, permission and modified details are not randomized 59{ :module=>"PHPFM", :text=>"<td> index.php</td><td width=60 align='right'>2,81 KB</td><td width=35 align='center'>666</td><td width=110 align='right'>20:36 06-19-2003</td><td width=20> </td><td width=20><a href='?&&path=&filename=index.php&action=edit'><img src='icon/edit.gif' width=20 height=22 alt='Edit file' border=0></a></td><td width=20><a href='?&&path=&filename=index.php&action=rename'><img src='icon/rename.gif' width=20 height=22 alt='Rename file' border=0></a></td><td width=20><a href='?&&path=&filename=index.php&action=download'><img src='icon/download.gif' width=20 height=22 alt='Download file' border=0></a></td><td width=20><a href='?&&path=&filename=index.php&action=delete'><img src='icon/delete.gif' width=20 height=22 alt='Delete file' border=0></a></td></tr><tr><td width=20><img src='icon/text.gif' width=20 height=22 border=0 alt='File'></td><td> readme.txt</td><td width=60 align='right'>2,13 KB</td><td width=35 align='center'>666</td><td width=110 align='right'>22:26 06-19-2003</td><td width=20> </td><td width=20><a href='?&&path=&filename=readme.txt&action=edit'><img src='icon/edit.gif' width=20 height=22 alt='Edit file' border=0></a></td><td width=20><a href='?&&path=&filename=readme.txt&action=rename'><img src='icon/rename.gif' width=20 height=22 alt='Rename file' border=0></a></td><td width=20><a href='?&&path=&filename=readme.txt&action=download'><img src='icon/download.gif' width=20 height=22 alt='Download file' border=0></a></td><td width=20><a href='?&&path=&filename=readme.txt&action=delete'><img src='icon/delete.gif' width=20 height=22 alt='Delete file' border=0></a></td></tr><tr><td colspan=9> </td></tr></table></td></tr></table><br /><br /><table class='bottom' cellpadding=0 cellspacing=0><tr><td align='center'>Powered by <a href='http://phpfm.zalon.dk/' target='_new' class='bottom'>PHPFM</a> 0.2.3</td>" }, 60 61 62 # SquirrelMail # GHDB Signature 1013 63 # ("SquirrelMail version 1.4.4" inurl:src ext:php) 64 # Logo URL: ../images/sm_logo.png 65 # An aggressve plugin could confirm if ./redirect.php returns 404 66 67 { :module=>"SquirrelMail", :certainty=>75, :regexp=>/<body text="#000000" bgcolor="#FFFFFF" link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="squirrelmail_loginpage_onload\(\);">\n<form action="redirect\.php" method="post">\n\n<table bgcolor="#ffffff" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td align="center"><center><img src="\.\.\/images\/sm_logo\.png" alt="/ }, 68 69] 70 71# Passive # 72def passive 73 m=[] 74 75 # wwwboard passwd.txt # GHDB Signature 1122 76 # (wwwboard WebAdmin inurl:passwd.txt 77 78 # URL: passwd.txt 79 # Password format: WebAdmin:ae[11-random-characters] 80 if @base_uri.to_s =~ /\/passwd\.txt$/ and @body =~ /^WebAdmin:ae[\w]{11}$/ 81 m << { :certainty=>25, :module=>"wwwboard passwd.txt" } 82 end 83 84 # Return passive matches 85 m 86end 87 88# Aggressive # 89def aggressive 90 m=[] 91 92 # wwwboard passwd.txt # GHDB Signature 1122 93 # (wwwboard WebAdmin inurl:passwd.txt 94 95 # URL: passwd.txt 96 # Password format: WebAdmin:ae[11-random-characters] 97 # Refresh URL and see if the password changed 98 if @base_uri.to_s =~ /\/passwd\.txt$/ and @body =~ /^WebAdmin:ae[\w]{11}$/ 99 status,url,ip,body,headers=open_target(@base_uri.to_s) 100 if body != @body 101 m << { :module=>"wwwboard passwd.txt" } 102 end 103 104 end 105 106 # Return aggressive matches 107 m 108end 109end 110 111# An aggressive plugin could look for : 112# xml.inc 113# xmlrpc.inc 114# xmlrpcs.inc 115# ghhserver.php 116# config.php 117# CreateDatabase.sql 118 119