HoneyPot Fun. Trapping Wordpress Scanners.
We start our planning to trap Wordpress scanners (hackers) and feed them bogus and poisonous but giant fake xml files.
So it turns out that a local scanner is attempting to find my 'back-door' Wordpress domain. Sure go ahead - I don't even use Wordpress, but would it not be fun to make a recursive infinite serving loop that would completely eat up the scanner resources sending back 1 GB html generated pages?
Let's get started.
- We can see a short list of what they are attempting to find as in:
172.17.0.1 - - [10/Dec/2024 04:38:45] "GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1" 404 -
172.17.0.1 - - [10/Dec/2024 04:38:45] code 404, message File not found
172.17.0.1 - - [10/Dec/2024 04:38:45] "GET //web/wp-includes/wlwmanifest.xml HTTP/1.1" 404 -
172.17.0.1 - - [10/Dec/2024 04:38:45] code 404, message File not found
172.17.0.1 - - [10/Dec/2024 04:38:45] "GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 404 -
172.17.0.1 - - [10/Dec/2024 04:38:45] code 404, message File not found
172.17.0.1 - - [10/Dec/2024 04:38:45] "GET //website/wp-includes/
A little browsing around shows us the typical full-scan list.
We can get a much larger list from here
//blog/wp-includes/wlwmanifest.xml
//web/wp-includes/wlwmanifest.xml
//wordpress/wp-includes/wlwmanifest.xml
//wp/wp-includes/wlwmanifest.xml
//2020/wp-includes/wlwmanifest.xml
//2019/wp-includes/wlwmanifest.xml
//2021/wp-includes/wlwmanifest.xml
//shop/wp-includes/wlwmanifest.xml
//wp1/wp-includes/wlwmanifest.xml
//test/wp-includes/wlwmanifest.xml
//site/wp-includes/wlwmanifest.xml
//cms/wp-includes/wlwmanifest.xml
//wp-includes/wlwmanifest.xml
//website/wp-includes/wlwmanifest.xml
//news/wp-includes/wlwmanifest.xml
//wp2/wp-includes/wlwmanifest.xml
//sito/wp-includes/wlwmanifest.xml
/wp-includes/wlwmanifest.xml
//2018/wp-includes/wlwmanifest.xml
//media/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/blog/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/web/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/wordpress/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/wp/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/2020/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/2019/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/2021/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/shop/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/wp1/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/test/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/site/wp-includes/wlwmanifest.xml
/wp-includes/id3/license.txt/cms/wp-includes/wlwmanifest.xml
Next is to stand up a small Flask application server and see if we can make a endpoint that matches one of these, our code serving block is simple.
@app.route('/wp/wp-includes/wlwmanifest.xml')
def wp_wp_includes():
return 'bobby brown'We test out the link - it works!
http://127.0.0.1:5000/wp/wp-includes/wlwmanifest.xmlNext we want to generate MASSIVE .xml files to serve when anyone of these xml's are polled. So what does a typical xml look like?
<manifest xmlns="urn:schemas-microsoft-com:xml-wlw">
<manifestVersion>1.0</manifestVersion>
<application>
<manifestName>WordPress</manifestName>
<manifestIconUrl>https://example.com/favicon.ico</manifestIconUrl>
</application>
<weblog>
<homepageLinkText>My WordPress Site</homepageLinkText>
<homepageUrl>https://example.com/</homepageUrl>
<api>
<displayName>WordPress</displayName>
<postApiUrl>https://example.com/xmlrpc.php</postApiUrl>
<getCategoriesApiUrl>https://example.com/xmlrpc.php?rsd</getCategoriesApiUrl>
<getTagsApiUrl>https://example.com/xmlrpc.php?rsd</getTagsApiUrl>
<getRecentPostsApiUrl>https://example.com/xmlrpc.php?rsd</getRecentPostsApiUrl>
</api>
</weblog>
</manifest>Fair enough next we want to make a python algorithm that will generate these on the fly - potentially having them ready at run time so it just floods the scrolling bot with bogus and bullshite information.
To be continued...
