express-honeypot
Advanced tools
Express honeypot is a honeypot for remote file inclusion (RFI) and local file inclusion (LFI). The aim of this project is to catch bots and malwares that are scanning websites and try to upload remote files. Those RFI / LFI bots use a list of
Express honeypot is a honeypot for remote file inclusion (RFI) and local file inclusion (LFI).
The aim of this project is to catch bots and malwares that are scanning websites and try to upload remote files.
Those RFI / LFI bots use a list of google dorks in order to search the web for vulnerable website.
Express honeypot uses 310 fake urls based on RFI LFI dorks and serves them dynamicaly.
Every request to any of the honeypot urls is logged and the remote file is downloaded and safely stored.
This honeypot is written in javascript and uses express as web server.
A light logs viewer page is available at /beekeeper but I think it needs to have more commands.
Developement is still in progress but the core architecture won't change so you are safe to start using it.
Clone the project and install the dependencies :
git clone https://github.com/christophe77/express-honeypot
cd express-honeypot
yarn install
Edit /express/config.js file.
port is the port for the web server.
beekeeperCredentials username and password to access /beekeeper url.
remoteFileSave choose to save the remote file on your local drive, on dpaste or on both of them.
googleVerification is the key given in google search console to validate your website.
Once installed you can start the app with :
yarn start
The app starts a web server, generate a sitemap with known vulnerables paths from phpBB, joomla,....
When a visitor opens an url and tries to include a remote file, the informations about the request are stored inside a json file in the /express/hive directory.
The remote file used for the inclusion is downloaded inside the hive folder with a .bee extension /express/hive/files/YYYY-MM-DD/filename.ext.bee
When an url is opened, a fake page is display with some basic html tags, random text and some SEO for google bots.
If the page is opened with a remote file inside the url then the content of the file is added to the response body as if the injection worked.
It's displayed in text and no real injection is posible.
If you want your honeypot to be effective you need to spread it over search engines.
Google search console is the best option to start.
When you want to check the logs you have to go to your-website.com/beekeeper
If you want to add urls you have to open /express/pages.js and add new datas.
FAQs
Express honeypot is a honeypot for remote file inclusion (RFI) and local file inclusion (LFI). The aim of this project is to catch bots and malwares that are scanning websites and try to upload remote files. Those RFI / LFI bots use a list of
We found that express-honeypot demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.