Interested in running GHH? Great! This is a simple guide to getting you on the ground and running. Please reference the official User Manual located on the sourceforge project site for the most up to date version of this procedure.
How do I install GHH?
Prerequisites to installation:
A web server running Apache and PHP.
Downloading GHH:
The latest version of GHH will be available at the official project website located at http://ghh.sourceforge.net. There will be many honeypots available to implement.
Choosing a Honeypot to implement:
The Download site offers multiple types of honeypots to emulate different types of GHDB signatures. You can pick one from the official GHH site, or follow the directions in the “Custom Honeypot” section of this document to create your own. By picking or creating a honeypot for a web application that is recently discovered to be vulnerable, or otherwise less-well-known, there is less chance of your honeypot being avoided by search engine hackers.
Installating GHH:
Follow these steps to install GHH onto your server:
1. GHH should be unzipped into a folder that is not in the document root of your web server.
2. A file should be created for your GHH log, anywhere but your document root. Example: /apache/ghhlog.csv Not: /apache/htdocs/ghhlog.csv
(if access to folders that aren’t in the document root isn’t available, use a password protected folder, covered with .htaccess)
3. Continue to configuration section.
Global Configuration for GHH:
Inside of the uncompressed installation package locate config.php. This file includes one variable that need to be changed in order for GHH to work:
Change the $Filename variable to contain the path to your log file you created in 2.4.2.
Change the $RegisterGlobals variable to 'false' if you require register_globals to be on in the server's php.ini (or if you are getting a blank page when viewing the honeypot file).
Per-Honeypot Configuration:
There is a README.txt file in the folder you unzipped into your web server. Because different honeypots may have different configuration instructions, this file is necessary for each seperate honeypot. README.txt contains instructions to setup the particular honeypot, and may be intricate depending on the complexity of the honeypot being implemented. (i.e. a phpBB honeypot) Open the README.txt file in the file you downloaded, and follow it’s configuration instructions.
Getting GHH indexed:
In order for the honeypot to work it must be visible to search engines. There are different ways to accomplish this task. The GHH team recommends setting up a secret hyperlink in the HTML of a page of your site. Add a link to a page that is currently indexed by Google, or other search engines like so:
<a href=http://yourdomain.com/honeypot.php>.</a>
Where the “.” is the same color as the background of the page. This invisible link directs search engines to crawl the page, but regular viewers of your site will not notice or visit the link.
There are other options that will get the honeypot indexed including image tag inclusion:
<img src=”http://yourdomain.com/honeypot.php” width=”0” height=”0”>
Now that the honeypot has been linked to it is time to set $SafeReferer variable. Set this var equal to the page that the honeypot is linked from.
$SafeReferer is used to detect when someone clicks the hidden hyperlink. This variable links with the “Crawler Detected” alert used in the logs. It signifies one of three things.
1. A search engine indexed the link.
2. An innocent browser found the link and clicked it.
3. The link was crawled with a tool like wget or an offline browser.
These hits are more than likely a false-positives. GHH will look at the “HTTP_REFERER” header and determine if a browser came from the $SafeReferer.
Search engines will not index your site immediately. Their spiders take time.
Extra Help
If you have written any extra documentation or discovered new honeypot/Google hacking tactics, forward them to soda_popinsky@users.sourceforge.net and we will link them here.
Online Installation Flowchart
Custom Honeypot Tutorial (AntiOnline)
Advanced Transparent Linking
|