Dockerized honeypot for CVE-2021-44228 based on Alpine, written in Python/Flask.
The container responds with a plain login form.
Any request will be inspected for ${ (headers and body).
This triggers a critical-level log with the entire request (as a dict with tuples, which is JSON-ish).
The event log will look like this (but as a single line):
CRITICAL:<HONEYPOT_NAME>:{
'honeypot': '<HONEYPOT_NAME>',
'source': '172.17.0.1',
'headers': EnvironHeaders([
('Host', 'localhost:8080'),
('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0'),
('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'),
('Accept-Language', 'en-CA,fr-CA;q=0.5'),
('Accept-Encoding', 'gzip, deflate'),
('Content-Type', 'application/x-www-form-urlencoded'),
('Content-Length', '45'),
('Origin', 'http://localhost:8080'),
('Connection', 'keep-alive'),
('Referer', 'http://localhost:8080/'),
('Upgrade-Insecure-Requests', '1'),
('Sec-Fetch-Dest', 'document'),
('Sec-Fetch-Mode', 'navigate'),
('Sec-Fetch-Site', 'same-origin'),
('Sec-Fetch-User', '?1')
]),
'body': [
('username', '${'),
('password', ''),
('submit', 'Submit Query')
]}# x86_64
docker run -d -p 8080:8080 -e HONEYPOT_NAME="log4shell-honeypot" --name="log4shell-honeypot" msanford/log4shell-honeypot:latest
# ARM (e.g., Raspberry Pi)
docker run -d -p 8080:8080 -e HONEYPOT_NAME="log4shell-honeypot" --name="log4shell-honeypot" msanford/log4shell-honeypot:arm-latestA docker-compose.yml fragment is also provided.
docker build -t log4shell-honeypot:latest .This is a modified fork of BinaryDefense/log4shell-honeypot-flask 👏🏼.