Share
## https://sploitus.com/exploit?id=224AAE7B-7C88-554C-BD4C-7FD5F417108F
# ReportedIP Honeypot Server
[](LICENSE)
[](https://php.net)
A standalone PHP honeypot server that emulates CMS installations (WordPress, Drupal, Joomla) to detect and report malicious traffic to the [reportedip.de](https://reportedip.de) API.
Zero external Composer dependencies. Runs on vanilla PHP 8.2+. Uses SQLite for persistence.
---
> **We're looking for testers and community members!**
>
> We are actively searching for test users and contributors who want to help improve the data quality and detection coverage of [reportedip.de](https://reportedip.de). Every honeypot instance you run contributes attack data that helps protect the entire community.
>
> **To get started, you need a Community Access Key (API key).** Please contact us at **[1@reportedip.de](mailto:1@reportedip.de)** to request your key. It's free.
>
> Whether you're running a small VPS, a shared hosting account, or a dedicated server β every installation helps.
---
## Features
- **CMS Emulation** β Realistic WordPress, Drupal, and Joomla front-ends with login pages, admin panels, REST APIs, RSS feeds, sitemaps, and vulnerability paths
- **36 Threat Analyzers** β SQL injection, XSS, path traversal, brute force, credential stuffing, SSRF, XML-RPC abuse, plugin exploits, config file access, and more
- **Automatic Reporting** β Detected threats are queued and batch-reported to the reportedip.de API with rate limiting and exponential backoff
- **Admin Dashboard** β Web-based panel for monitoring attacks, viewing statistics, managing whitelists, and generating AI content
- **AI Content Generation** β Optional OpenAI integration to generate realistic blog posts for the fake CMS (AJAX-based, one post at a time to avoid timeouts)
- **Bot Detection** β Classifies visitors as good bots, bad bots, AI agents, hackers, or humans
- **Cloudflare Support** β Real IP resolution behind Cloudflare and custom reverse proxies via trusted_proxies config
- **Security Hardened** β CSRF protection, bcrypt auth, brute-force lockout, security headers (CSP, X-Frame-Options, HSTS), session IP binding
- **Docker Ready** β Ships with Dockerfile and docker-compose for instant deployment
- **Zero Dependencies** β No external Composer packages; built-in PSR-4 autoloader fallback
## Requirements
- PHP 8.2+
- Extensions: `pdo_sqlite`, `curl`, `json`
- Web server (nginx or Apache) with all requests routed to `public/index.php`
## Quick Start
### Docker
```bash
git clone https://github.com/reportedip/honeypot-server.git
cd honeypot-server
php install.php
docker compose -f docker/docker-compose.yml up -d
```
### Manual Installation
```bash
git clone https://github.com/reportedip/honeypot-server.git
cd honeypot-server
php install.php
```
The install wizard guides you through:
1. PHP version and extension checks
2. Community Access Key β contact **[1@reportedip.de](mailto:1@reportedip.de)** to get yours (free)
3. CMS profile selection (WordPress / Drupal / Joomla)
4. Admin panel path and password
5. Optional OpenAI API key for AI content generation
6. Database initialization and IP whitelisting
Then configure your web server:
- **nginx** β Copy `config/nginx.conf.example` and adjust paths
- **Apache** β Copy `config/apache.htaccess.example` to your document root
### Queue Processing
By default, the honeypot uses **web cron mode**: the report queue is automatically processed in small batches (2 reports) after every page visit. No external cron job is needed. This is ideal for shared hosting.
For high-traffic installations, switch to **cron mode** in `config/config.php`:
```php
'queue_mode' => 'cron',
```
Then set up a cron job:
```bash
# Process the report queue every 5 minutes
*/5 * * * * php /path/to/honeypot-server/cli.php process-queue
```
Cleanup of old entries runs automatically in both modes.
## Configuration
All settings are in `config/config.php` (generated by the installer). See `config/config.example.php` for defaults and documentation.
### Core Settings
| Option | Default | Description |
|---|---|---|
| `api_key` | `''` | Community Access Key β request at [1@reportedip.de](mailto:1@reportedip.de) |
| `api_url` | `'https://reportedip.de/...'` | API endpoint URL |
| `cms_profile` | `'wordpress'` | CMS to emulate: `wordpress`, `drupal`, `joomla` |
| `admin_path` | `'/_hp_admin'` | Path to the honeypot admin panel |
| `admin_password_hash` | `''` | Bcrypt hash (set by installer) |
| `db_path` | `'data/honeypot.sqlite'` | SQLite database path |
| `trusted_proxies` | Cloudflare CIDRs | Trusted proxy IP ranges for real IP resolution |
| `debug` | `false` | Enable verbose error output |
### Rate Limiting & Retention
| Option | Default | Description |
|---|---|---|
| `rate_limit_per_ip` | `10` | Max log entries per IP per minute |
| `report_rate_limit` | `60` | Max API reports per minute |
| `report_batch_size` | `10` | Reports per cron batch |
| `queue_mode` | `'web'` | `'web'` (automatic) or `'cron'` (manual via cli.php) |
| `log_retention_days` | `90` | Days to keep log entries |
| `session_lifetime` | `3600` | Admin session lifetime (seconds) |
### AI Content Generation (Optional)
| Option | Default | Description |
|---|---|---|
| `openai_api_key` | `''` | OpenAI API key (enables content generation) |
| `openai_base_url` | `'https://api.openai.com/v1'` | API base URL (change for compatible providers) |
| `openai_model` | `'gpt-4o-mini'` | Model to use for generation |
| `content_language` | `'en'` | Default language (`en` or `de`) |
| `content_niche` | `''` | Default topic niche for posts |
## CMS Profiles
Each profile emulates a specific CMS with realistic URL patterns, HTTP headers, and response templates:
| Profile | Emulated Paths | Fake Headers |
|---|---|---|
| **WordPress** | `wp-login.php`, `wp-admin/`, `wp-json/`, `xmlrpc.php`, `/feed/`, plugin paths | `X-Pingback`, `Link: wp-json`, `Server: Apache` |
| **Drupal** | `user/login`, `admin/`, `jsonapi/`, `update.php`, module paths | `X-Generator: Drupal 10`, `X-Drupal-Cache` |
| **Joomla** | `administrator/`, `api/`, `component/` paths | `X-Content-Encoded-By: Joomla! 4.4` |
## Detection System
The `DetectionPipeline` runs 36 analyzers on every request:
| Analyzer | Detects |
|---|---|
| `SqlInjectionAnalyzer` | SQL injection in query params, POST data, headers |
| `XssAnalyzer` | Cross-site scripting via script tags, event handlers |
| `PathTraversalAnalyzer` | Directory traversal (`../`, encoded variants) |
| `BruteForceAnalyzer` | Repeated login attempts |
| `CredentialStuffingAnalyzer` | Common username/password combinations |
| `PathScanningAnalyzer` | Probing for admin panels, backup files |
| `PluginExploitAnalyzer` | Known CMS plugin vulnerability paths |
| `ConfigAccessAnalyzer` | Attempts to access `.env`, `wp-config.php`, etc. |
| `VulnerabilityProbeAnalyzer` | Shellshock, Log4Shell, PHPUnit exploits |
| `XmlRpcAnalyzer` | XML-RPC pingback abuse, method enumeration |
| `UserAgentAnalyzer` | Malicious tools (sqlmap, nikto, dirbuster) |
| `HeaderAnomalyAnalyzer` | Missing/suspicious HTTP headers |
| `HttpVerbAnalyzer` | Unusual HTTP methods (TRACE, DELETE, etc.) |
| `SsrfAnalyzer` | Server-side request forgery attempts |
| `FormSpamAnalyzer` | Spam submissions via comment/contact forms |
| `ThemeExploitAnalyzer` | Theme vulnerability exploitation, TimThumb access, theme editor abuse |
| `UserEnumerationAnalyzer` | User enumeration via author params, REST API, sitemaps |
| `FileUploadMalwareAnalyzer` | Malicious file uploads, double extensions, PHP code signatures |
| `AdminDirectoryScanningAnalyzer` | CMS admin directory scanning and probing |
| `ResourceExhaustionAnalyzer` | DoS attacks, oversized requests, regex DoS, XML entity expansion |
| `WpCronAbuseAnalyzer` | WP-Cron abuse, heartbeat abuse, REST API bulk operations |
| `VersionFingerprintingAnalyzer` | CMS version fingerprinting via readme/license files, version params |
| `DatabaseBackupAccessAnalyzer` | Database dump and backup file access attempts |
| `RegistrationHoneypotAnalyzer` | Automated registration spam, disposable emails, bot patterns |
| `SearchSpamAnalyzer` | Search functionality abuse, injection via search params |
| `TrackbackPingbackSpamAnalyzer` | Trackback/pingback spam, DDoS amplification |
| `MediaLibraryAbuseAnalyzer` | Media library abuse, upload directory scanning |
| `WpCliAbuseAnalyzer` | WP-CLI abuse, dangerous AJAX actions, object injection |
| `CoreFileModificationAnalyzer` | Core file modification via plugin/theme editors |
| `AjaxEndpointAbuseAnalyzer` | AJAX and admin-post endpoint abuse |
| `OpenRedirectAnalyzer` | Open redirect attacks, JavaScript protocol handlers |
| `PasswordResetAbuseAnalyzer` | Password reset abuse, Host header injection |
| `SessionHijackingAnalyzer` | Session hijacking, cookie manipulation, session fixation |
| `UnicodeEncodingAttackAnalyzer` | Unicode/encoding bypass attacks, overlong UTF-8, null bytes |
| `RateLimitBypassAnalyzer` | Rate limit bypass via header spoofing, proxy chain manipulation |
| `JavaScriptInjectionAnalyzer` | JS injection, DOM-based XSS, prototype pollution |
Each detection produces a `DetectionResult` with category IDs (mapped to reportedip.de categories), severity score (1-100), and a human-readable comment.
## Admin Panel
Access the admin panel at your configured path (default: `/_hp_admin`).
### Pages
- **Dashboard** β Attack statistics, activity chart, top IPs, top categories, cron status, system info
- **Logs** β Filterable attack log with search, IP filter, category filter, status filter
- **Whitelist** β Add/remove IPs and CIDR ranges from the whitelist
- **Content** β Manage AI-generated blog posts for the fake CMS
- **Visitors** β Bot/visitor classification log with type breakdown
### Security Features
- Bcrypt password authentication with brute-force lockout (5 attempts, 15-minute window)
- CSRF protection on all state-changing actions (including logout)
- Session IP binding to prevent session hijacking
- Security headers: `X-Frame-Options: DENY`, `Content-Security-Policy`, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`, `Cache-Control: no-store`
- `SameSite=Strict` and `HttpOnly` session cookies
## CLI Commands
```bash
php cli.php stats # Show attack statistics
php cli.php process-queue # Send pending reports to API
php cli.php cleanup [--days=90] # Remove old log entries
php cli.php whitelist-add [desc] # Add IP/CIDR to whitelist
php cli.php whitelist-remove # Remove IP from whitelist
php cli.php whitelist-list # Show all whitelist entries
php cli.php test-api # Test API connectivity
```
## Project Structure
```
reportedip-honeypot-server/
βββ public/index.php # Single entry point (document root)
βββ install.php # Interactive install wizard
βββ cli.php # CLI tool for cron and management
βββ config/
β βββ config.example.php # Configuration template
β βββ nginx.conf.example # Nginx config template
β βββ apache.htaccess.example # Apache config template
βββ src/
β βββ Core/ # App, Request, Response, Router, Config, Cache
β βββ Detection/ # DetectionPipeline + 36 Analyzers
β βββ Network/ # IpResolver, CidrMatcher
β βββ Persistence/ # Database, Logger, VisitorLogger, Whitelist
β βββ Api/ # ReportClient, ReportQueue
β βββ Profile/ # CmsProfile, WordPress/Drupal/Joomla profiles
β βββ Content/ # ContentGenerator, ContentRepository
β βββ Admin/ # AdminController, AdminAuth, Dashboard, LogViewer
β βββ Trap/ # 13 trap handlers (Login, Admin, Home, Content, ...)
βββ templates/
β βββ admin/ # Admin panel templates (layout, dashboard, logs, ...)
β βββ wordpress/ # WordPress trap templates
β βββ drupal/ # Drupal trap templates
β βββ joomla/ # Joomla trap templates
βββ tests/ # 311+ tests (unit + analyzer + integration)
βββ docker/ # Dockerfile, docker-compose.yml, nginx/php-fpm configs
βββ data/ # SQLite DB, cache, logs (gitignored)
```
## Testing
The project uses a custom lightweight test framework (no PHPUnit dependency):
```bash
php tests/run-tests.php # Run all tests
php tests/run-tests.php --integration # Include integration tests
php tests/run-tests.php --filter Config # Filter by class name
php tests/run-tests.php --verbose # Show timing per test
```
## How It Works
1. All HTTP requests hit `public/index.php`
2. `IpResolver` determines the real client IP (Cloudflare/proxy-aware)
3. `Router` checks if the request targets the admin panel
4. For honeypot requests: `Whitelist` check, then `DetectionPipeline` runs all 36 analyzers
5. Detections are logged to SQLite with `sent=0` (queued for reporting)
6. `Router` matches the path against the active CMS profile to select a trap
7. The trap renders a convincing CMS-like response (login page, blog post, RSS feed, etc.)
8. After the response is sent, web cron processes a micro-batch of queued reports to the reportedip.de API (or a cron job does it in cron mode)
## Contributing
Contributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
## Author
**Patrick Schlesinger**
- Website: [reportedip.de](https://reportedip.de)
- Email: 1@reportedip.de
## License
This project is licensed under the **Business Source License 1.1** (BSL 1.1).
- **Production use is permitted** (including by companies), EXCEPT offering this software as a hosted/managed service to third parties or selling it as a commercial product.
- On **2030-03-01**, the license automatically converts to **Apache License 2.0**.
See [LICENSE](LICENSE) for the full text.
## Legal / Disclaimer
**By using this software, you agree to the terms in [DISCLAIMER.md](DISCLAIMER.md).**
- **No Warranty**: This software is provided "AS IS" without warranty of any kind.
- **Legal Compliance**: You are solely responsible for compliance with all applicable laws in your jurisdiction regarding honeypot operation and data collection.
- **Data Privacy**: You are the data controller for any personal data (IP addresses) collected by this software.
- **Risk**: Running a honeypot involves inherent security risks. The authors are not liable for any damages.
**Bitte beachten Sie den ausfΓΌhrlichen Haftungsausschluss in [DISCLAIMER.md](DISCLAIMER.md).**