The MySQL support within the dionaea honeypot is very limited and it was not possible to analyse and handle most of the attacks in the past. But initial commits to improve the MySQL support have been pushed to a staging branch.
Yesterday the new code has been deployed to a test honeypot in the wild. This honeypot has collected 15 unique files from attacks against the MySQL service within the last 24 hours. The same attacks against the current stable version 0.5.1 would have been resulted in 0(zero) files. I think this is a very impressive result.
The files collected are executables, VBScript and PowerShell files. All binary files look like Windows executables but haven't been analysed yet. The VBScript and PowerShell files are part of an initial attack stage and used to download additional executable files.
One of the next steps is to implement a very basic VBScript and PowerShell analyser to extract additional download URLs from these scripts.
Stay tuned ... there is much more to come.
Links
- Website: dionaea on GitHub (English)