Conversation

New honeypot added to my bot IPs API. It will help to reach the 600K distinct bot IPs in the week end 🔥

Oct 24, 2021

Replying to

Do you talk about how you set up this honeypot. I have been playing with open web forms to capture bots/spam and curious what others are doing to track/detect these bots

Replying to

I could publish something about it. I basically expose several ports used by popular services like MySQL, elastic search and monitor traffic on these ports. I've also created fake websites and monitor malicious Http requests, e.g. requests that try to access git conf file

Replying to

Interesting - are their common endpoints that get hit like /admin or /wp-admin

Replying to

Yes, e.g. endpoints testing the presence of phpmyadmin, of the boaform vuln (webmasters.stackexchange.com/questions/1371), or of unsecured Apache Solr. For the moment, my honeypot stores only the IP address. It has basically no interaction (except on ssh)

webmasters.stackexchange.com

Vulnerability in /boaform/admin/formLogin?

I am getting this HTTP request line on my server (simple http server). The normal action for this request on my server is to simply close the socket connection. I am asking this question because wh...

Replying to

and

In the future I'd like to collect more information related to the bot activity on the honeypot, e.g. payloads, credentials tested on login/ssh. By adding interaction i'll also probably discover more things.

Replying to

and

I could use something already existing, but I prefer to code it for pedagogical purposes

3:06 PM · Oct 24, 2021Twitter Web App