🍯 honeypot: Catch bad web bots

:honey_pot: honeypot


What is a honeypot:

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and enables blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as “baiting” a suspect.

- Wikipedia

Why set up a honeypot:

Many bad bots will try to attack/DDoS your site. Those same bots will also go to other sites. So, with this honeypot, you can help other people by warning them.

How to set it up:

  1. Remix the project here.,
  2. Get a AbuseIPDB API key here.
  3. Place the AbuseIPDB key in the .env file under ABUSEIPDB_API_KEY. It looks like this: ABUSEIPDB_API_KEY=<PLACE API KEY HERE>

How to add more traps:

All traps are stored in routes.js. A normal entry looks something like:

"/path/to/trap": ["15,19","A normal description."]

If you visit PROJECT_NAME.glitch.me/path/to/trap, then you would be reported for “A normal description.” with the tags ‘Hacking’ and ‘Bad web bot’
This explains more:

"/trap": ["category,category", "Description"]
  • “/trap”: The path to the trap (website.com/trap)
  • “category,category”: are the nubers assoicated with categories of attacks. Can be found here
  • “Description”: The description of the attack

Thanks @RiversideRocks for the traps and the main idea.

You can also see the honeypot in action by going to my profile at: https://www.abuseipdb.com/user/49168

GitHub URL: https://github.com/aboutDavid/honeypot

11 Likes

Oooh! This is cool!

2 Likes

Mhm, here are a list of the traps and descriptions:

module.exports = {
  "/.env": ["15,19", "Tried to access environmental variable file (/.env file)"],
  "/hidden": ["15,19", "Bad web bot scraping URLs."],
  "/larvel/.env": ["15,19", "Tried to access environmental variable file (/.env file)"],
  "/admin/.env": ["15,19", "Tried to access environmental variable file (/.env file)"],
  "/system/.env": ["15,19", "Tried to access environmental variable file (/.env file)"],
  "/api/jsonws/invoke": ["15,19", "Tried to POST web API, /api/jsonws/invoke"],
  "/.git//index": ["15,19", "Attempted to access git files, /.git//index"],
  "/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>": ["15,19", "ThinkPHP exploit. /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>"],
  "/?XDEBUG_SESSION_START=phpstorm": ["15,19", "PHPSTORM Debug hack"],
  "/solr/admin/info/system?wt=json": ["15,19", "Trying to access solr admin page."],
  "/boaform/admin/formLogin": ["15,19", "Trying to access admin login: /boaform/admin/formLogin"],
  "/config/getuser?index=0": ["15,19", "Trying to access configuration files: /config/getuser?index=0"],
  "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php": ["15,19", "Attempting to access vendor files: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"],
  "/por/login_psw.csp": ["15,19", "Trying to access admin login pages: /por/login_psw.csp"],
  "/ui/login.php": ["15,19", "Trying to access admin login pages: /ui/login.php"],
  "/cgi-bin/login.cgi?requestname=2&cmd=0": ["15,19", "Trying to access admin login pages: /cgi-bin/login.cgi?requestname=2&cmd=0"],
  "/GponForm/diag_Form?images/": ["15,19","Odd Request, trying to access some sort of form: /GponForm/diag_Form?images/"],
  "//vendor/phpunit/phpunit/phpunit.xsd": ["15,19","Trying to access PHPUnit scripts: //vendor/phpunit/phpunit/phpunit.xsd"],
  "//web/wp-includes/wlwmanifest.xml": ["15,19","Attempting to access Wordpress wlwmanifest.xml file."],
  "//wordpress/wp-includes/wlwmanifest.xml": ["15,19","Attempting to access Wordpress wlwmanifest.xml file."],
  "//wp-includes/wlwmanifest.xml": ["15,19","Attempting to access Wordpress wlwmanifest.xml file."],
  "//shop/wp-includes/wlwmanifest.xml": ["15,19","Attempting to access Wordpress wlwmanifest.xml file."],
  "//cms/wp-includes/wlwmanifest.xml": ["15,19","Attempting to access Wordpress wlwmanifest.xml file."],
  "//xmlrpc.php?rsd": ["15,19","Suspicous request; //xmlrpc.php?rsd"],
  "/manager/text/list": ["15,19","Trying to access admin files: /manager/text/list"],
};
2 Likes

It’s not even worth trying to get into .git or .env anyways.

1 Like

Yes it is, many people don’t protect their .env file.

1 Like

By thinking they could just do something like

*puts api key in .env

uses it like

var token = 3efdjie838ruuejrui3juj98ud8iue8irsdfsduf38fd

:man_facepalming:

People still won’t always protect their .env file. They:

  • could be negligent in protecting their file
  • might not know how to
  • might not be able to
1 Like

they might just use a random search result from googling “file server” or “static server”, or write their own code that uses fs.readFile() that’s also vulnerable to dot file paths

Well, thats not exactly true. Digging trough files in the .git directory can get your information about where the code came from on github/gitlab. You can also view the compress objects.

3 Likes

I like this project, its neat. I just want to note that most of the pages above are PHP based exploits. Thus, you should have index.php return a 200 to make the bots think you have a PHP site.

5 Likes

So, I’ve decided to change the way it collects IPs for AbuseIPDB. If “using glitch” in config.js is set to true, it will collect from the x-fowarded-for header as cori said the IP will be there.

4 Likes

It’s come to my attention that some of you have been going to the trap links, which is a bad idea as you get reported to a IP reporting site (AbuseIPDB) which has been mentioned above in the post.

Please look your IP up on https://abuseipdb.com and request a takedown if you went to one of the links.

Also, you can help catch some bad web bots by adding this to your website:

HTML:

<a class="url" href="https://honeypot.glitch.me/hidden" style="display:none;">

Pug:

a(class="url" href="https://honeypot.glitch.me/hidden" style="display:none;")

And don’t visit the links (or you will get reported)

2 Likes

I’m also launching this onto Heroku for “production” use.

1 Like

I tested it one time on @RiversideRocks’s page and it recorded my IP like 100 times

1 Like

So you were the one sending so many requests to the server

1 Like

Oooh should I add Discord Webhook support? It would allow you to see all of the bots that you have caught.

5 Likes

A chat of app has a web hook ? This must be a good app

2 Likes

No

I found my IPs on the site like 6 times

because it has the exact place of where I live

2 Likes

The Discord Webhook feature is up and running!

Also, look at Glitch’s AbuseIPDB page lol: https://www.abuseipdb.com/check/35.175.135.65

5 Likes