· PythonWeb

Tar pit status

Talking about my tar pit

The tar pit has been running for a few days and I have been making modifications to it as needed.

How it started

The initial tar pit included a definition file with a dozen or so commonly sought after paths and sent anything that tried to access them to a drip feed of fake data. My analytics still showed tons of different paths being attempted and not trapped so I started tinkering.

How its going

My analytics dashboard now tracks requests that result in a 404 and gives me an option to add the pattern to my trap definitions. After a few days of swatting requests into the definitions I now see WAY fewer illegitimate requests in my analytics and WAY more action in my tar pits.

Other considerations

Some of these scanners try to make hundreds of requests quickly in order to test for any available info. My tar pit has begun limiting the number of requests it will handle at a time so further slow them down. I am also tracking how long they get stuck in the tar.

The process

When a request comes in, legitimate paths are handled normally. Anything that would get a 404 is first checked against my trap definitions and if it matches they get the drip feed of fake data.

If they make more than 10 requests to trapped paths they get the infinite drip. A page that just continuously drips data until the connection is closed.

What are they after?

image.png

Credentials and WordPress. The vast majority of these scans are looking for accidentally shared .env files that often contain API keys and credentials or WordPress files. A few just check for PHP info.

They are from all over the world with no specific geological grouping but that is to be expected. It looks like a lot of them will find VPS hosting, spin up a free trial, and run a scanner until the trial ends and then repeat.

What has the trap done?

Since I implemented the trap a few days ago it has trapped over 1200 probes from 58 unique IPs. Since I implemented a check to time the connections per IP it has collected just under an hour of time from these probes on this site alone. between all of the sites it is on that number gets much higher. That may not seem like much but these probes normally take a fraction of a second.

What am I doing with this info?

Nothing. I am not equipped to mount a counter offensive and even if I were, these are mostly automated bots running on fake or compromised computers. It isn't worth the effort. The tar pit is a fun project that may cause a slight headache to someone, somewhere but like them, I am most likely not worth the effort to pursue further.

What should people do?

Make sure your web server is configured correctly so you don't leak your own credentials. If you can avoid it, don't use mass market CMS like WordPress.