Skip to content

Instantly share code, notes, and snippets.

@kfriend
Created February 27, 2013 14:54
Show Gist options
  • Save kfriend/5048470 to your computer and use it in GitHub Desktop.
Save kfriend/5048470 to your computer and use it in GitHub Desktop.
Simple one-file honeypot
<?php
/*
* Simple Honeypot
*
* Takes request and stores the users IP, user-agent, and request into separate files. Useful
* for logging requests to locations that no one should be poking around.
*
* To do:
* - Add user-agent blocking
*/
// Debug flag
define('DEBUG', FALSE);
if ( ! DEBUG)
{
error_reporting(0);
}
if (DEBUG) dump(array($_SERVER['REMOTE_ADDR'], $_SERVER['REQUEST_URI'], $_SERVER['HTTP_USER_AGENT']));
// Send 404
header("HTTP/1.0 404 Not Found");
// Echo 404 error
echo <<<EOS
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<p>
Something went wrong and your request couldn't be completed.
</p>
</body>
</html>
EOS;
// Settings
// A file containing regex IP addresses to consider already "blocked." One per line
$blocked_ip_file = './blocked_ip.txt';
// A file containing regex URIs to consider "bad." One per line.
$blocked_uri_file = './blocked_uri.txt';
// A log containing all requests that should be reviewed occasionally
$review_file = './review.csv';
// Log of requests matching "bad" URIs
$log_file = './bad_uri_log.csv';
// Regex of IPs to ignore
$good_ip = '192\.168\.1\.';
// What to escape or remove
$escape = array('"', ',', "\n", "\r");
$escape_to = array('\"', '\,');
// Normalize request
$ip = $_SERVER['REMOTE_ADDR'];
$ua = str_replace($escape, $escape_to, $_SERVER['HTTP_USER_AGENT']);
$uri = str_replace($escape, $escape_to, $_SERVER['REQUEST_URI']);
// Exit if IP is white listed
if (preg_match("/{$good_ip}/", $ip)) exit;
// Get naughty IPs
$blocked_ip = '';
if (file_exists($blocked_ip_file))
{
$blocked_ip = trim(str_replace(array("\n", '.'), array('|', '\.'), file_get_contents($blocked_ip_file)));
}
// Get naughty URIs
$blocked_uri = '';
if (file_exists($blocked_uri_file))
{
$blocked_uri = trim(str_replace("\n", '|', file_get_contents($blocked_uri_file)));
}
// Compare requester IP to blocked list
if (preg_match("/({$blocked_ip})/", $ip))
{
if (DEBUG) puts('Blocked IP!');
// Don't do anything at this time as the IP has already been blocked.
}
// Compare requested URI to blocked list
elseif (preg_match("/({$blocked_uri})/", $uri))
{
if (DEBUG) puts('Blocked URI!');
// Add IP to blocked list
file_put_contents($blocked_ip_file, "\n{$ip}", FILE_APPEND);
// Log the request
file_put_contents($review_file, "\nUA,{$ip},{$ua},{$uri}", FILE_APPEND);
file_put_contents($log_file, "\nURI Request,{$ip},{$ua},{$uri}", FILE_APPEND);
}
else
{
if (DEBUG) puts('New item for review');
file_put_contents($review_file, "\nNew,{$ip},{$ua},{$uri}", FILE_APPEND);
}
// Debugging Functions
function dump($array, $format = FALSE)
{
if ( ! empty($format))
{
echo '<hr>';
}
echo '<pre>';
print_r($array);
echo '</pre>';
if ( ! empty($format))
{
echo '<hr>';
}
}
function puts($string)
{
echo $string.'<br />';
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment