A very simple telnet honeypot
This is a very simple telnet honeypot program. It displays a login: prompt, followed by a password: prompt. After that, it simply echos whatever inputs it receives.
Just issue this command:
$ gcc -pthread tinypot_main.c tinypot_process.c -o tinypot
The general invocation is
$ tinypot [ip_address|-] portnum portnum portnum ...
The first argument determines what local network interface tinypot will listen on for incoming connections. The argument is either a specific IP address, or the single character "-". In the latter case, tinypot will listen on all available network interfaces.
Each portnum is a TCP/IP port number that will be opened for listening.
To fish for Mirai bots, try this:
$ tinypot - 23 2323 23231 6789 7547 587 23123 68 5060 1433 5555
To engage other bots that have been in the news:
$ tinypot - 2323 23231 6789 7547 587 23123 68 5060 433 5555 8080 8888 1194 6000 6001 2580 8443 5431 139 445 9100 3389 443 992 21
This program provides a simple example of a TCP/IP server program, using BSD socket functions. It is also a simple example of Posix thread programming.
You can use this program to watch telnet malware at work. In particular, Mirai. For this purpose, any or all of the ports 23, 2323, 23231, or 6789 may be used. These are the ports that are used by Mirai and similar malware.
The malware programs vary in their sophistication. Some of them will detect the fact that tinypot is not a vulnerable telnet server and disconnect immediately. Other malware programs will send several commands before giving up. It can be interesting to watch. You can expect to wait anywhere from one to 25 minutes between connection attempts.