Log4j

A honeypot for the Log4Shell vulnerability (CVE-2021-44228)

Dec 17, 2021 1 min read

Log4Pot

A honeypot for the Log4Shell vulnerability (CVE-2021-44228).

License: GPLv3.0

Features

Listen on various ports for Log4Shell exploitation.
Detect exploitation in request line and headers.
Log to file and Azure blob storage.

Usage

Install Poetry: curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python3 -
Fetch this GitHub repository git clone https://github.com/thomaspatzke/Log4Pot.git
Change directory into the local copy with cd Log4Pot
Install dependencies: poetry install
Put parameters into log4pot.conf.
Run: poetry run python log4pot.py @log4pot.conf

Alternatively, you can also run log4pot without external dependencies:

$ python log4pot.py @log4pot.conf

This will run log4pot without support for logging to Azure blob storage.

Analyzing Logs with JQ

List payloads from exploitation attempts:

select(.type == "exploit") | .payload

Decode all base64-encoded payloads from JNDI exploit:

select(.type == "exploit" and (.payload | contains("Base64"))) | .payload | sub(".*/Base64/"; "") | sub ("}$"; "") | @base64d

GitHub

View Github

John was the first writer to have joined pythonawesome.com. He has since then inculcated very effective writing and reviewing culture at pythonawesome which rivals have found impossible to imitate.