HoneyPot – I Made a Text Field Only Bots Use – Heres What Happened (opens in new tab)

I’m curious whether those who voted for this submission have ever taken a look at their server logs.

Almost every public website on the open Internet receives thousands of HTTP requests similar to the ones mentioned in this text file. This is one of the several reasons why web application firewalls gained popularity years ago, especially as vulnerability scanners became widespread.

Years ago, when I was employed at a young security startup, my colleague and I dedicated countless hours analyzing this particular kind of web traffic. Our objective was to develop basic filters for what eventually evolved into an extensive database of malicious signatures. This marked the inception of what is now recognized as one of the most widely used firewalls in the market today.

I notice a lot of specific numbers and strings being used and repeated, what do they mean?

Do these injection attacks come from a single source perhaps, which everyone imitated?

That’s from a single person most likely, who used sqlmap to test for sql injection. I haven’t seen internet wide attempts of testing sql injections.

All of these look like things sqlmap tries, this could all be just one person that tried to target the server.

I did something similar about 15 years ago. They weren't as complex back then, and there was more effort to obfuscate them.

Mostly they came from Israeli Chinese and Russian IP addresses.

I ran a public-facing web server — you won’t believe what happened next!

Protip: I usually add a hidden input field to my forms. As it is hidden a normal user should not be able to fill it out, only a bot will. So if the hidden input isn't empty, I can disregard it as spam, it works wonders.

One of the first bits of analytics I put on any webserver is to count all unhandled urls. As others here say things like WordPress admin page request probing are classic but I remember one of the Django designers pointing out that sometimes legitimate looking requests are actually a form of suggestion. That used to be a lot more true when people would try to play with urls to get to what they wanted.

Relatedly if you work in a field where your products become known as a useful benchmark you will find prototypes start showing up long before any public disclosure. We used to use this to be able to anticipate new screen resolutions and evaluate new GPUs and SoCs before being told about them.

I remember back in the day getting my first server online. Then a few months in I stumble across the ssh logs… let’s say it was quite handy because at the time were trying to come up with a name for our kid.

The internet is a jungle with dragons. Nowadays I try to keep everything on my vpn as an extra security layer.

I remember installing a Juniper Intrusion Detection System in a server rack on a telecom company. Was quite impressed when I saw in the logs such attacks were discovered and blocked. This was 15 years ago.

I've got a classic guestbook on an intentionally vintage page but I actually filter the input into "spam" and "humans". Here's the spambook: https://bootstra386.com/spambook.html

The filter system is open source https://github.com/kristopolous/BOOTSTRA.386/blob/master/hom...

Showing it's not impossible to have a classic anonymous guestbook, you just have to be a bit clever.

Yes, that's a zipbomb to a particular offender at the beginning. It worked. A script dumb enough to brainlessly slam the site easily broke against a zipbomb.

if (ststr($_REQUEST['textfield_name'], "UNION") { block_ip($_SERVER['REMOTE_ADDR']); }

What's with all the CONCAT(0x71626a7a71, ... ,0x716b767071)? As ASCII they're qbjzq ... qkvpq

It boggles my mind that there is software out there where that actually works.

ah, sqlmap

I did the same on a real contact form before to reduce spam... If the field got modified, I knew it was a bot... Worked pretty well