svemagie.net/indiekit-blog
1
0
Fork 0
Code Issues Actions Packages Projects Releases Activity

update article post
Build & Deploy / build-and-deploy (push) Successful in 2m10s
Details

Browse Source
This commit is contained in:
svemagie
2026-04-21 09:06:37 +02:00
parent 0d4229ef0c
commit 6c5dff1ea3
1 changed files with 269 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/articles/schroedingers-honeypot-on-freebsd-and.md
+21 -42
View File
@@ -11,7 +11,19 @@ aiTextLevel: "1"
syndication:
- https://bsky.app/profile/did:plc:g4utqyolpyb5zpwwodmm3hht/post/3mjyebefxei2c
- https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
updated: 2026-04-21T06:31:00.361Z
updated: 2026-04-21T07:06:37.347Z
webmentionResults:
sent: 0
failed: 0
skipped: 1
details:
sent: []
failed: []
skipped:
- target: https://bsky.app/profile/did:plc:g4utqyolpyb5zpwwodmm3hht/post/3mjyebefxei2c
reason: No webmention endpoint found
timestamp: 2026-04-21T06:33:30.743Z
webmentionSent: true
mpUrl: https://blog.giersig.eu/articles/schroedingers-honeypot-on-freebsd-and/
permalink: /articles/schroedingers-honeypot-on-freebsd-and/
---
@@ -178,47 +190,14 @@ cat /var/log/nginx/*access.log | awk '{print $7}' | sort | uniq -c | sort -rn |
The honeypot log tells the other half: what is already being caught. Comparing the two reveals the gaps. From this servers logs:
Pattern
Hits
Caught?
`info.php`, `phpinfo.php`
64
`etc/passwd` (path traversal)
48
`test.php`, `debug.php`, `php.php`
70
`wp_filemanager.php` (underscore, not hyphen)
28
`_profiler/` (Symfony debug endpoint)
18
`.gitlab-ci.yml`
15
| Pattern | Hits | Caught? |
| --------------------------------------------- | ---- | ------- |
| `info.php`, `phpinfo.php` | 64 | ❌ |
| `etc/passwd` (path traversal) | 48 | ❌ |
| `test.php`, `debug.php`, `php.php` | 70 | ❌ |
| `wp_filemanager.php` (underscore, not hyphen) | 28 | ❌ |
| `_profiler/` (Symfony debug endpoint) | 18 | ❌ |
| `.gitlab-ci.yml` | 15 | ❌ |
PHP probe files are particularly common: scanners drop `phpinfo.php`, `test.php`, `info.php` to fingerprint the stack. `etc/passwd` probes arrive as both direct paths and Vite/Nuxt path traversal variants (`/@fs/etc/passwd`). The Symfony `_profiler/` endpoint is a favourite for Laravel and Symfony shops that leave debug mode on in production.