Welcome to another Honeypot tutorial!
Taking a break from my OSCP studies, I came accross the new Oracle vulnerability.
As most cyber security people know, CVE-2018-2628 was released for Oracle Weblogic Server (10.3.6.0, 220.127.116.11, 18.104.22.168, 22.214.171.124).
The POC exploit code was release as well, located at this github https://github.com/brianwrf/CVE-2018-2628, props to the POC hax0r!.
Currently there are security articles out saying hackers are scanning the internet for vulnerable servers and port 7001, so why dont we fireup a honeypot and check out what the hackers are doing?
Below is a quick bash script of the install I used.
This honeypot was made on Vultr 14.04 64bit 4gig VPS
We will need java on ubuntu located here http://ethicalredteam.com/jdk-6u45-linux-x64.bin and the vulnerable oracle server, located here http://ethicalredteam.com/wls1036_generic.jar (10.3.6.0)
#select TYPICAL install
#Vultr 14.04 64bit 4gig VPS
apt-get -y update && apt-get -y install lubuntu-desktop
apt-get -y install wireshark
#After reboot then do the rest of install with GUI.
#/root/oraclehp/jdk1.6.0_45/bin/java -jar wls1036_generic.jar
#verify running with netstat -atnp , port 7001 should show open
We'll lauch a nmap at the server to confirm the ports open as well as use netstat.
We will fire off the POC exploit just to confirm our oracle honeypots do have code execution on them
Awsome, so what did we catch so far? Well so far we can see some IP's nmaping us looking for port 7001 open. Currently I do not see any logs of attackers trying to RCE the honeypot but
in due time I'm sure it will happen.
We can see China being the number one scan culprit, go figure! :D
Link to download the pcap is here
That is about the basic setup for now! This was just a quick tutorial to get a honeypot up.Currently I have 4 honeypots in different countries and will monitor them for awhile.
I will update this thread when I find any new interesting things happening on the honeypots. Until then its back to the OSCP labs.