My Honeypots Have Been Busy

[RJM62]

The honeypots and scripts I've installed on various sites and servers to trap hackers, crackers, spammers, and other Internet miscreants have detected and reported 119,701 malicious IP addresses as of this morning.

https://www.abuseipdb.com/user/5688

Rich

 

[flhrci]

What honeypot software are you using? My boss wants to install new honeypots in our internal network with a flavor of Linux, but we could only get the old 2007 HoneyD to work. And it has to be free and opensource to.

 

[RJM62]

What honeypot software are you using? My boss wants to install new honeypots in our internal network with a flavor of Linux, but we could only get the old 2007 HoneyD to work. And it has to be free and opensource to.

I scripted the web honeypots myself in PHP. They actually don't exist. I use .htaccess to redirect requests for non-existent CMS pages and other frequent attack targets to a PHP script that does the rest. Very simple stuff.

The Web contact form spam reporter is a plug-in I added to a spam-filtering contact form I wrote years ago. The plug-in simply saves the known-spammy submissions to a database and also submits the information to AbuseIPDB.

The other attacks are exported from CSF firewall's Block Reporting function and fed to PHP scripts that save the reports to a database and also send them along to AbuseIPDB.

This started as an internal project to create blocklists that all the servers I manage could share. It kind of morphed from there.

You may want to look into fail2ban if you want something FOSS with plenty of eyeballs on it.

Rich

 

[RJM62]

The basic PHP for the non-existent honeypots is

<?php
date_default_timezone_set('America/New_York');
$ip=$_SERVER['REMOTE_ADDR'];
//$ip="127.0.0.2"; // for testing
$origRequest =  $_GET['req'];
putenv("TZ=US/Eastern");
$timeNow = time();
$fresh = time() - 900; // AbuseIPDB rejects IPs reported by a user within 15 minutes
$domain = "[example.tld]"; // domain of reporting site or server
$currentDateTime = (date("M d, Y h:i:s a"));
$ports="80,443";
$categories="15,21"; // for AbuseIPDB Report

$con = mysqli_connect("[database-host-domain]","[database_user]","[database_password]","[database_name]");
    if (!$con) { die('Could not connect: ' . mysqli_error($con)); }
    $result = mysqli_query($con, "SELECT * FROM reports WHERE (ip4 LIKE '$ip' AND time >= '$fresh')");
    $row = mysqli_fetch_array($result);
        $reportDate = $row['datetime'];
        if (empty($reportDate)) {
        // sanitize
        $timeNow = mysqli_real_escape_string($con, $timeNow);
        $ip = mysqli_real_escape_string($con, $ip);
        $domain = mysqli_real_escape_string($con, $domain);
        $currentDateTime = mysqli_real_escape_string($con, $currentDateTime);
        $origRequest =  mysqli_real_escape_string($con, $origRequest);
        $comment="Hit on " . $origRequest; // for AbuseIPDB Report and database entry
        /* If origRequest is stripped out by mysqli_real_escape_string, it probably means it contained malicious SQL code. Therefore:*/
        if (empty($origRequest)) {
            $comment = "Web-based SQL injection attempt";
            $categories = "15,16,21";
        }
        // insert to db
        mysqli_select_db($con, "[database_name]");
        $sql = "INSERT INTO reports (datetime, time, ip4, ports, categories, domain, origRequest, comment) VALUES ('$currentDateTime','$timeNow','$ip','$ports','$categories','$domain','$origRequest','$comment')";
        if (!mysqli_query($con,$sql)) {
            echo("Error description: " . mysqli_error($con));
            }
        // make report
        $data = (array(
            "ip"  => $ip,
            "categories" => $categories,
            "comment" => $comment
        ));
        $headers =  array('Key: [key goes here]', 'Accept: application/json');
        $ch = curl_init("https://api.abuseipdb.com/api/v2/report");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1 ); // Set to 0 for testing to display response from AbuseIPDB
        curl_setopt($ch, CURLOPT_POST,           1 );
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        $output=curl_exec($ch);
        curl_close($ch);
    }
include("401.php");
?>

If that script were named "honey.php", miscreants and bots would wind up there via something along these lines in .htaccess:

# Honeypot for non-existent login attempts
RewriteCond %{REQUEST_URI} /wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} /wp-config.php [NC,OR]
RewriteCond %{REQUEST_URI} /wp-contacts.php [NC,OR]
RewriteCond %{REQUEST_URI} /xmlrpc.php [NC,OR]
RewriteCond %{REQUEST_URI} /webconfig.txt.php [NC,OR]
RewriteCond %{REQUEST_URI} /admin.php [NC,OR]
RewriteCond %{REQUEST_URI} /login.php [NC,OR]
RewriteCond %{REQUEST_URI} /adminer.php [NC,OR]
RewriteCond %{REQUEST_URI} /lequ.php [NC,OR]
RewriteCond %{REQUEST_URI} /install.php [NC,OR]
RewriteCond %{REQUEST_URI} /setup.php [NC,OR]
RewriteCond %{REQUEST_URI} /shell.php [NC,OR]
RewriteCond %{REQUEST_URI} /user.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/install/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/setup/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/plus/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/data/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/inc/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/.git/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/templates/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/fckeditor/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/config/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/administrator/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/admin/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/manager/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/cms/(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-admin/(.*)$ [NC]
RewriteRule .* https://www.example.com/honey.php?req=%{REQUEST_URI} [L]

Obviously, any redirects have to be of pages / directories that don't actually exist on the site.

I also have several sites with contact forms that exist solely to collect data that I use to tweak the spam filters and feed the databases. Some of them are even labeled as such. The bots are too stupid to care. They spam a form that's labeled as a spam-collection form.

Hey, it keeps me off the streets.

Rich

 

[sourdough44]

I was thinking ‘honey trap’.

 

[RJM62]

I was thinking ‘honey trap’.

Same idea.

Rich

 

[MuseChaser]

The basic PHP for the non-existent honeypots is
....

I also have several sites with contact forms that exist solely to collect data that I use to tweak the spam filters and feed the databases. Some of them are even labeled as such. The bots are too stupid to care. They spam a form that's labeled as a spam-collection form.

Hey, it keeps me off the streets.

Rich

I have NO idea what all that code means, but I think it's great that you are contributing your abilities to fighting intergarbage. Thank you!!

 

[luvflyin]

So I’m wondering what the ell are these guys talking about. Why don’t I just ask them? But I don’t wanna look ignorant, so I google it.

 

[RJM62]

I have NO idea what all that code means, but I think it's great that you are contributing your abilities to fighting intergarbage. Thank you!!

Thanks. It's actually pretty crude. I could clean it up quite a bit. But it works, so...

Rich

 

[benyflyguy]

I thought honey pot was a colloquialism for something entirely different

 

[1RTK1]

My first thought was that you meant honey wagon, some might know what that is.

 

[MuseChaser]

My first thought was that you meant honey wagon, some might know what that is.

Our local honeywagon proprietor, years ago when we lived in a different locale, named his "Mr. Slurpee," and had a graphic of a cartoon tanker sipping on a straw stuck in a toilet. Very cute.

 

[Zeldman]

I thought honey pot was a colloquialism for something entirely different

Yeah, honey pot has an entirely different meaning where I come from....

 

[JScarry]

The basic PHP for the non-existent honeypots is


Hey, it keeps me off the streets.

Rich

Since we are on the topic of security, why did you choose to use mysqli_real_escape_string instead of prepared statements with bound queries?

 

[EdFred]

I do something similar with my site. If certain criteria are met I simply have a die; that kills the whole site for IP blocks. Waaaaay less submission spam. I should go check the list to see how many I've got now.

 

[Fallsrider]

My first thought was that you meant honey wagon, some might know what that is.

Yep, I used to operate one during summers and holiday vacations in high school and college. It was a local farmer to my parents. Nasty, nasty smell!

 

[Heftiger]

Do you have an internal honeypot with “authentication” forms?
I was thinking of deploying one and setting a tripwire on it. Basically, if anybody is trying to auth this with honeypot from the internal network it’s either a compromised device or an internal threat situation.

 

[RJM62]

Since we are on the topic of security, why did you choose to use mysqli_real_escape_string instead of prepared statements with bound queries?

That's on the agenda. I started banging this script together last spring when I got annoyed with all the 404's in the stats from hits on non-existent CMS login pages. The intent was to collect the IP's into a database and share that database among all the servers. And then the summer came, when I prefer spending time doing other things rather than staring at screens; so I just left it as is. Now that winter's coming, I'll have time to clean it up.

I also have been asked to make it compatible with PostgreSQL, and to merge it with the script that collects the block data from CSF Firewall. I plan to make all those changes at the same time.

The other thing to consider is that there's no user input here. There's no form. It just executes when non-existent pages are requested. Neither do the CMS's being targeted exist; so even if a bot appends some code to the URI intended to exploit some vulnerability in the CMS, the CMS doesn't exist, so there's no vulnerability to exploit.

But yes, it's rough. It's a work-in-progress

Rich

 

[RJM62]

Do you have an internal honeypot with “authentication” forms?
I was thinking of deploying one and setting a tripwire on it. Basically, if anybody is trying to auth this with honeypot from the internal network it’s either a compromised device or an internal threat situation.

No, nothing like that. I have a few revisions I'm working on for my spam-filtering script that stop bots and human users who try to bypass the form dead in their tracks without using cookies or JS by writing temp files outside the web root, which might have some application to what you want to do; but they're not ready for prime-time yet. Those things are winter projects for me.

Rich

 

[RJM62]

I do something similar with my site. If certain criteria are met I simply have a die; that kills the whole site for IP blocks. Waaaaay less submission spam. I should go check the list to see how many I've got now.

On the Web forms that I actually want spammed, I land the spambots on a success page, then kill the script. I want to encourage the bots to hit it again and again so I can collect more IP's.

Rich

 

[Sac Arrow]

I was kind of expecting a thread about beehives purchased from Sam's Club.