Skip to content

Niels Provos' Blog ::

Installation Of SpyBye


You need to follow these steps to install your own SpyBye proxy:

  • Download the latest version of SpyBye from http://www.monkey.org/~provos/spybye/.

  • Download the latest version of libevent from http://www.monkey.org/~provos/libevent/.

  • Configure, compile and install libevent by executing the following commands in the libevent directory: ./configure && make && sudo make install.

  • Configure, compile and install SpyBye by executing the following commands in the SpyBye directory: ./configure && make && sudo make install.



If these instructions seem too complicated to you, you can just use the SpyBye proxy running at www.spybye.org:8080.

Running SpyBye



You need to figure out on which host and which port you want to run SpyBye. If you don't plan on running it permanently, you probably want to install
it locally. Run the following command: spybye -p 8080. At this point, you should see output like the following:
SpyBye 0.1 starting up ...
Report sharing enabled.
Added 28 good patterns
Added 145 bad patterns
Starting web server on port 8080
Configure your browser to use this server as proxy



Now, configure your web browser to use 127.0.0.1:8080 as an HTML proxy server. This instructs your web browser to send all its requests to SpyBye.
At this point, you can no longer browse the web regularly. All requests are routed via the SpyBye proxy.



To start go to http://spybye/. If everything worked, you should see a little status header and a form field in which you can enter a URL.
Try to enter the URL for a site you want to check.



Interpreting SpyBye Output


SpyBye classifies URLs into three categories:

  • harmless: A URL that originates from your web site or is matched by a pattern in the good patterns file.

  • unknown: A URL that did not originate with your web site. This is likely to be 3rd party provide content and could be dangerous. If you see an unknown URL that you do not recognize, something might be wrong with your web site.

  • dangerous: A URL with a high likelihood of being dangerous. This is usually an indication that your web site has been compromised. You should check if all your web applications have the latest security patches installed, you might also have to reinstall your web server. Attackers usually leave backdoors that give them remote access to your site, even after you have removed potential exploits from your web pages.



Results


By default, the SpyBye proxy shares potentially dangerous web pages with the www.spybye.org web server. This allows others to see potentially compromised web pages on the Internet and learn how to interpret and dissect obfuscated javascript, etc. This kind of sharing can be disabled by adding -S '' to the command line of SpyBye.
Happy Hunting.

Posted by Niels Provos | on