Weblabyrinth is a dynamic maze of web pages written in PHP. The main goal of Weblabyrinth is to delay and occupy malicious web scanners to give incident handlers time to investigate and respond to threats. Weblabyrinth is designed to show a 404 error to legitimate web crawlers based on the crawlers user-agent. Here is how you install and configure Weblabyrinth.
In order for this to work you will need the following installed on your box:
Apache
mod_rewrite
PHP
sqlite
PHP sqlite extension
PHP mail() support
Go to the Weblabyrinth website and download Weblabyrinth.
wget http://weblabyrinth.googlecode.com/files/weblabyrinth-0.3.2.tar.gz
Now extract the files and place them in an area that is accessible to the web.
tar zxvf weblabyrinth-0.3.2.tar.gz
cp * /var/www/labyrinth/
Rename /var/www/labyrinth/EXAMPLE.htaccess to .htaccess.
mv EXAMPLE.htaccess .htaccess
Next we will create a sqlite database and give the web user access to the database.
mkdir /opt/weblabyrinth/
cat /var/www/labyrinth/labyrinth.sql | sqlite /opt/weblabyrinth/labyrinth.db
chown -R www-data:www-data /opt/weblabyrinth
The next step is to edit the /var/www/labyrinth/config.inc.php file. Most of the settings will not need to be changed if you follow the steps that where outlined. A few settings to note are:
'alert_levels_deep' => 3,
This is the threshold of pages that must be hit prior to triggering an alert.
'alert_email' => array(
'enabled' => 'true',
'address' => 'root@localhost'
),
As you can guess these settings determine if you would like an email, and to what address, when an alert is triggered.
'alert_ids' => array(
'enabled' => 'true',
'text' => 'honorificabilitudinitatibus'
)
Using these settings will make Weblabyrinth display honorificabilitudinitatibus on the pages it serves up to the web crawler. When used in conjunction with the following Snort rule it will generate a Snort alert. You can use this alert to block the IP of the web crawler.
alert tcp any 80 -> any any (content:"honorificabilitudinitatibus"; msg: "WebLabyrinth alert keyword detected";)
This is accomplished because Snort will see the phrase honorificabilitudinitatibus in the packets that are sent on port 80 to the web crawler.
Now we will need to setup aliases of known targets that web crawlers look for. This all depends on how your server is setup but most likely this will be configured in the httpd.conf file in /etc/apache2. Here are the aliases I use:
Alias /admin /var/www/labyrinth/
Alias /secret /var/www/labyrinth/
Alias /pdc-only /var/www/labyrinth/
Alias /private /var/www/labyrinth/
Alias /phpmyadmin /var/www/labyrinth/
Alias /pma /var/www/labyrinth/
Alias /dbadmin /var/www/labyrinth/
Alias /phppgadmin /var/www/labyrinth/
Alias /myadmin /var/www/labyrinth/
Alias /db /var/www/labyrinth/
Alias /mysql /var/www/labyrinth/
Alias /mysqladmin /var/www/labyrinth/
Alias /phpmyadmin /var/www/labyrinth/
Alias /scripts /var/www/labyrinth/
Alias /sqlweb /var/www/labyrinth/
Alias /web /var/www/labyrinth/
Alias /webadmin /var/www/labyrinth/
Alias /webdb /var/www/labyrinth/
Alias /websql /var/www/labyrinth/
This list was composed by looking through my apache log files and looking for 404 errors that were generated by known web crawler user-agents. If you have any more please share.
Now sit back and wait for a web crawler to get caught in your trap. If you would like to see what the web crawlers see you are more then welcome to get caught in mine. Please visit mayhemiclabs.com to show your support for such a great piece of code.