Heartbleed Honeypot Script

#!/usr/bin/perl   # hb_honeypot.pl -- a quick 'n dirty honeypot hack for Heartbleed # # This Perl script listens on TCP port 443 and responds with completely bogus # SSL heartbeat responses, unless it detects the start of a byte pattern # similar to that used in Jared Stafford's (jspenguin@jspenguin.org) demo for # CVE-2014-0160 'Heartbleed'. # # Run as root for the privileged port. Outputs IPs of suspected heartbleed scan # to the console. Rickrolls scanner in the hex dump. # # 8 April 2014 # http://www.glitchwrks.com/ # shouts to binrev   use strict; use warnings; use IO::Socket;   my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp', Listen => 1, Reuse => 1, );   die "Could not create socket!" unless $sock;   # The "done" bit of the handshake response my $done = pack ("H*", '16030100010E');   # Your message here my $taunt = "09809*)(*)(76&^%&(*&^7657332 Hi there! Your scan has been logged! Have no fear, this is for research only -- We're never gonna give you up, never gonna let you down!"; my $troll = pack ("H*", ('180301' . sprintf( "%04x", length($taunt))));   # main "barf responses into the socket" loop while (my $client = $sock->accept()) { $client->autoflush(1);   my $found = 0;   # read things that look like lines, puke nonsense heartbeat responses until # a line that looks like it's from the PoC shows up while (<$client>) { my $line = unpack("H*", $_);   if ($line =~ /^0034.*/) { print $client $done; $found = 1; } else { print $client $troll; print $client $taunt; }   if ($found == 1) { print $client $troll; print $client $taunt; print $client->peerhost . "\n"; $found = 0; } } }   close($sock);