This is a first try to mock the router backdoor "TCP32764" found in several router firmwares at the end of 2013. The POC of the backdoor is located at this repository.

This honeypot is not fully compatible to the real backdoor. However, we try to response positive answers for well known tests. Said this, both the poc.py and the web test from Heise recognize this being a real backdoor.

Do not complain about any actions or problems after using this piece of code. Relax, take the time, read it first, and then try it on your own.

NodeJS

1. git clone https://github.com/knalli/honeypot-for-tcp-32764.git && cd honeypot-for-tcp-32764
2. npm install
3. node_modules/.bin/coffee server.coffee

There are two user scripts defined in the package.json which instruments Forever. Simply use npm start to start the server and npm stop to stop the server. The flag -w is used therefor any file changes will effectily restart the server in a second.

There are following user scripts defined for an easy access to the log:

• npm run-script print-log printing out the log file of the current daemon (started by npm start)
• npm run-script tail-log tailing out the log file of the current daemon (started by npm start)

Yes, if you like.

Free for all.

MIT