Share
## https://sploitus.com/exploit?id=224AAE7B-7C88-554C-BD4C-7FD5F417108F
# ReportedIP Honeypot Server

[![License: BSL 1.1](https://img.shields.io/badge/License-BSL%201.1-blue.svg)](LICENSE)
[![PHP: 8.2+](https://img.shields.io/badge/PHP-8.2%2B-777BB4.svg)](https://php.net)

A standalone PHP honeypot server that emulates CMS installations (WordPress, Drupal, Joomla) to detect and report malicious traffic to the [reportedip.de](https://reportedip.de) API.

Zero external Composer dependencies. Runs on vanilla PHP 8.2+. Uses SQLite for persistence.

---

> **We're looking for testers and community members!**
>
> We are actively searching for test users and contributors who want to help improve the data quality and detection coverage of [reportedip.de](https://reportedip.de). Every honeypot instance you run contributes attack data that helps protect the entire community.
>
> **To get started, you need a Community Access Key (API key).** Please contact us at **[1@reportedip.de](mailto:1@reportedip.de)** to request your key. It's free.
>
> Whether you're running a small VPS, a shared hosting account, or a dedicated server β€” every installation helps.

---

## Features

- **CMS Emulation** β€” Realistic WordPress, Drupal, and Joomla front-ends with login pages, admin panels, REST APIs, RSS feeds, sitemaps, and vulnerability paths
- **36 Threat Analyzers** β€” SQL injection, XSS, path traversal, brute force, credential stuffing, SSRF, XML-RPC abuse, plugin exploits, config file access, and more
- **Automatic Reporting** β€” Detected threats are queued and batch-reported to the reportedip.de API with rate limiting and exponential backoff
- **Admin Dashboard** β€” Web-based panel for monitoring attacks, viewing statistics, managing whitelists, and generating AI content
- **AI Content Generation** β€” Optional OpenAI integration to generate realistic blog posts for the fake CMS (AJAX-based, one post at a time to avoid timeouts)
- **Bot Detection** β€” Classifies visitors as good bots, bad bots, AI agents, hackers, or humans
- **Cloudflare Support** β€” Real IP resolution behind Cloudflare and custom reverse proxies via trusted_proxies config
- **Security Hardened** β€” CSRF protection, bcrypt auth, brute-force lockout, security headers (CSP, X-Frame-Options, HSTS), session IP binding
- **Docker Ready** β€” Ships with Dockerfile and docker-compose for instant deployment
- **Zero Dependencies** β€” No external Composer packages; built-in PSR-4 autoloader fallback

## Requirements

- PHP 8.2+
- Extensions: `pdo_sqlite`, `curl`, `json`
- Web server (nginx or Apache) with all requests routed to `public/index.php`

## Quick Start

### Docker

```bash
git clone https://github.com/reportedip/honeypot-server.git
cd honeypot-server
php install.php
docker compose -f docker/docker-compose.yml up -d
```

### Manual Installation

```bash
git clone https://github.com/reportedip/honeypot-server.git
cd honeypot-server
php install.php
```

The install wizard guides you through:

1. PHP version and extension checks
2. Community Access Key β€” contact **[1@reportedip.de](mailto:1@reportedip.de)** to get yours (free)
3. CMS profile selection (WordPress / Drupal / Joomla)
4. Admin panel path and password
5. Optional OpenAI API key for AI content generation
6. Database initialization and IP whitelisting

Then configure your web server:

- **nginx** β€” Copy `config/nginx.conf.example` and adjust paths
- **Apache** β€” Copy `config/apache.htaccess.example` to your document root

### Queue Processing

By default, the honeypot uses **web cron mode**: the report queue is automatically processed in small batches (2 reports) after every page visit. No external cron job is needed. This is ideal for shared hosting.

For high-traffic installations, switch to **cron mode** in `config/config.php`:

```php
'queue_mode' => 'cron',
```

Then set up a cron job:

```bash
# Process the report queue every 5 minutes
*/5 * * * * php /path/to/honeypot-server/cli.php process-queue
```

Cleanup of old entries runs automatically in both modes.

## Configuration

All settings are in `config/config.php` (generated by the installer). See `config/config.example.php` for defaults and documentation.

### Core Settings

| Option | Default | Description |
|---|---|---|
| `api_key` | `''` | Community Access Key β€” request at [1@reportedip.de](mailto:1@reportedip.de) |
| `api_url` | `'https://reportedip.de/...'` | API endpoint URL |
| `cms_profile` | `'wordpress'` | CMS to emulate: `wordpress`, `drupal`, `joomla` |
| `admin_path` | `'/_hp_admin'` | Path to the honeypot admin panel |
| `admin_password_hash` | `''` | Bcrypt hash (set by installer) |
| `db_path` | `'data/honeypot.sqlite'` | SQLite database path |
| `trusted_proxies` | Cloudflare CIDRs | Trusted proxy IP ranges for real IP resolution |
| `debug` | `false` | Enable verbose error output |

### Rate Limiting & Retention

| Option | Default | Description |
|---|---|---|
| `rate_limit_per_ip` | `10` | Max log entries per IP per minute |
| `report_rate_limit` | `60` | Max API reports per minute |
| `report_batch_size` | `10` | Reports per cron batch |
| `queue_mode` | `'web'` | `'web'` (automatic) or `'cron'` (manual via cli.php) |
| `log_retention_days` | `90` | Days to keep log entries |
| `session_lifetime` | `3600` | Admin session lifetime (seconds) |

### AI Content Generation (Optional)

| Option | Default | Description |
|---|---|---|
| `openai_api_key` | `''` | OpenAI API key (enables content generation) |
| `openai_base_url` | `'https://api.openai.com/v1'` | API base URL (change for compatible providers) |
| `openai_model` | `'gpt-4o-mini'` | Model to use for generation |
| `content_language` | `'en'` | Default language (`en` or `de`) |
| `content_niche` | `''` | Default topic niche for posts |

## CMS Profiles

Each profile emulates a specific CMS with realistic URL patterns, HTTP headers, and response templates:

| Profile | Emulated Paths | Fake Headers |
|---|---|---|
| **WordPress** | `wp-login.php`, `wp-admin/`, `wp-json/`, `xmlrpc.php`, `/feed/`, plugin paths | `X-Pingback`, `Link: wp-json`, `Server: Apache` |
| **Drupal** | `user/login`, `admin/`, `jsonapi/`, `update.php`, module paths | `X-Generator: Drupal 10`, `X-Drupal-Cache` |
| **Joomla** | `administrator/`, `api/`, `component/` paths | `X-Content-Encoded-By: Joomla! 4.4` |

## Detection System

The `DetectionPipeline` runs 36 analyzers on every request:

| Analyzer | Detects |
|---|---|
| `SqlInjectionAnalyzer` | SQL injection in query params, POST data, headers |
| `XssAnalyzer` | Cross-site scripting via script tags, event handlers |
| `PathTraversalAnalyzer` | Directory traversal (`../`, encoded variants) |
| `BruteForceAnalyzer` | Repeated login attempts |
| `CredentialStuffingAnalyzer` | Common username/password combinations |
| `PathScanningAnalyzer` | Probing for admin panels, backup files |
| `PluginExploitAnalyzer` | Known CMS plugin vulnerability paths |
| `ConfigAccessAnalyzer` | Attempts to access `.env`, `wp-config.php`, etc. |
| `VulnerabilityProbeAnalyzer` | Shellshock, Log4Shell, PHPUnit exploits |
| `XmlRpcAnalyzer` | XML-RPC pingback abuse, method enumeration |
| `UserAgentAnalyzer` | Malicious tools (sqlmap, nikto, dirbuster) |
| `HeaderAnomalyAnalyzer` | Missing/suspicious HTTP headers |
| `HttpVerbAnalyzer` | Unusual HTTP methods (TRACE, DELETE, etc.) |
| `SsrfAnalyzer` | Server-side request forgery attempts |
| `FormSpamAnalyzer` | Spam submissions via comment/contact forms |
| `ThemeExploitAnalyzer` | Theme vulnerability exploitation, TimThumb access, theme editor abuse |
| `UserEnumerationAnalyzer` | User enumeration via author params, REST API, sitemaps |
| `FileUploadMalwareAnalyzer` | Malicious file uploads, double extensions, PHP code signatures |
| `AdminDirectoryScanningAnalyzer` | CMS admin directory scanning and probing |
| `ResourceExhaustionAnalyzer` | DoS attacks, oversized requests, regex DoS, XML entity expansion |
| `WpCronAbuseAnalyzer` | WP-Cron abuse, heartbeat abuse, REST API bulk operations |
| `VersionFingerprintingAnalyzer` | CMS version fingerprinting via readme/license files, version params |
| `DatabaseBackupAccessAnalyzer` | Database dump and backup file access attempts |
| `RegistrationHoneypotAnalyzer` | Automated registration spam, disposable emails, bot patterns |
| `SearchSpamAnalyzer` | Search functionality abuse, injection via search params |
| `TrackbackPingbackSpamAnalyzer` | Trackback/pingback spam, DDoS amplification |
| `MediaLibraryAbuseAnalyzer` | Media library abuse, upload directory scanning |
| `WpCliAbuseAnalyzer` | WP-CLI abuse, dangerous AJAX actions, object injection |
| `CoreFileModificationAnalyzer` | Core file modification via plugin/theme editors |
| `AjaxEndpointAbuseAnalyzer` | AJAX and admin-post endpoint abuse |
| `OpenRedirectAnalyzer` | Open redirect attacks, JavaScript protocol handlers |
| `PasswordResetAbuseAnalyzer` | Password reset abuse, Host header injection |
| `SessionHijackingAnalyzer` | Session hijacking, cookie manipulation, session fixation |
| `UnicodeEncodingAttackAnalyzer` | Unicode/encoding bypass attacks, overlong UTF-8, null bytes |
| `RateLimitBypassAnalyzer` | Rate limit bypass via header spoofing, proxy chain manipulation |
| `JavaScriptInjectionAnalyzer` | JS injection, DOM-based XSS, prototype pollution |

Each detection produces a `DetectionResult` with category IDs (mapped to reportedip.de categories), severity score (1-100), and a human-readable comment.

## Admin Panel

Access the admin panel at your configured path (default: `/_hp_admin`).

### Pages

- **Dashboard** β€” Attack statistics, activity chart, top IPs, top categories, cron status, system info
- **Logs** β€” Filterable attack log with search, IP filter, category filter, status filter
- **Whitelist** β€” Add/remove IPs and CIDR ranges from the whitelist
- **Content** β€” Manage AI-generated blog posts for the fake CMS
- **Visitors** β€” Bot/visitor classification log with type breakdown

### Security Features

- Bcrypt password authentication with brute-force lockout (5 attempts, 15-minute window)
- CSRF protection on all state-changing actions (including logout)
- Session IP binding to prevent session hijacking
- Security headers: `X-Frame-Options: DENY`, `Content-Security-Policy`, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`, `Cache-Control: no-store`
- `SameSite=Strict` and `HttpOnly` session cookies

## CLI Commands

```bash
php cli.php stats                        # Show attack statistics
php cli.php process-queue                # Send pending reports to API
php cli.php cleanup [--days=90]          # Remove old log entries
php cli.php whitelist-add  [desc]    # Add IP/CIDR to whitelist
php cli.php whitelist-remove         # Remove IP from whitelist
php cli.php whitelist-list               # Show all whitelist entries
php cli.php test-api                     # Test API connectivity
```

## Project Structure

```
reportedip-honeypot-server/
β”œβ”€β”€ public/index.php              # Single entry point (document root)
β”œβ”€β”€ install.php                   # Interactive install wizard
β”œβ”€β”€ cli.php                       # CLI tool for cron and management
β”œβ”€β”€ config/
β”‚   β”œβ”€β”€ config.example.php        # Configuration template
β”‚   β”œβ”€β”€ nginx.conf.example        # Nginx config template
β”‚   └── apache.htaccess.example   # Apache config template
β”œβ”€β”€ src/
β”‚   β”œβ”€β”€ Core/                     # App, Request, Response, Router, Config, Cache
β”‚   β”œβ”€β”€ Detection/                # DetectionPipeline + 36 Analyzers
β”‚   β”œβ”€β”€ Network/                  # IpResolver, CidrMatcher
β”‚   β”œβ”€β”€ Persistence/              # Database, Logger, VisitorLogger, Whitelist
β”‚   β”œβ”€β”€ Api/                      # ReportClient, ReportQueue
β”‚   β”œβ”€β”€ Profile/                  # CmsProfile, WordPress/Drupal/Joomla profiles
β”‚   β”œβ”€β”€ Content/                  # ContentGenerator, ContentRepository
β”‚   β”œβ”€β”€ Admin/                    # AdminController, AdminAuth, Dashboard, LogViewer
β”‚   └── Trap/                     # 13 trap handlers (Login, Admin, Home, Content, ...)
β”œβ”€β”€ templates/
β”‚   β”œβ”€β”€ admin/                    # Admin panel templates (layout, dashboard, logs, ...)
β”‚   β”œβ”€β”€ wordpress/                # WordPress trap templates
β”‚   β”œβ”€β”€ drupal/                   # Drupal trap templates
β”‚   └── joomla/                   # Joomla trap templates
β”œβ”€β”€ tests/                        # 311+ tests (unit + analyzer + integration)
β”œβ”€β”€ docker/                       # Dockerfile, docker-compose.yml, nginx/php-fpm configs
└── data/                         # SQLite DB, cache, logs (gitignored)
```

## Testing

The project uses a custom lightweight test framework (no PHPUnit dependency):

```bash
php tests/run-tests.php                  # Run all tests
php tests/run-tests.php --integration    # Include integration tests
php tests/run-tests.php --filter Config  # Filter by class name
php tests/run-tests.php --verbose        # Show timing per test
```

## How It Works

1. All HTTP requests hit `public/index.php`
2. `IpResolver` determines the real client IP (Cloudflare/proxy-aware)
3. `Router` checks if the request targets the admin panel
4. For honeypot requests: `Whitelist` check, then `DetectionPipeline` runs all 36 analyzers
5. Detections are logged to SQLite with `sent=0` (queued for reporting)
6. `Router` matches the path against the active CMS profile to select a trap
7. The trap renders a convincing CMS-like response (login page, blog post, RSS feed, etc.)
8. After the response is sent, web cron processes a micro-batch of queued reports to the reportedip.de API (or a cron job does it in cron mode)

## Contributing

Contributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

## Author

**Patrick Schlesinger**
- Website: [reportedip.de](https://reportedip.de)
- Email: 1@reportedip.de

## License

This project is licensed under the **Business Source License 1.1** (BSL 1.1).

- **Production use is permitted** (including by companies), EXCEPT offering this software as a hosted/managed service to third parties or selling it as a commercial product.
- On **2030-03-01**, the license automatically converts to **Apache License 2.0**.

See [LICENSE](LICENSE) for the full text.

## Legal / Disclaimer

**By using this software, you agree to the terms in [DISCLAIMER.md](DISCLAIMER.md).**

- **No Warranty**: This software is provided "AS IS" without warranty of any kind.
- **Legal Compliance**: You are solely responsible for compliance with all applicable laws in your jurisdiction regarding honeypot operation and data collection.
- **Data Privacy**: You are the data controller for any personal data (IP addresses) collected by this software.
- **Risk**: Running a honeypot involves inherent security risks. The authors are not liable for any damages.

**Bitte beachten Sie den ausfΓΌhrlichen Haftungsausschluss in [DISCLAIMER.md](DISCLAIMER.md).**