This blog is now a honeypot!
As I was perusing my logs today on a lazy Sunday afternoon I found I was being attacked by more RFI bots than usual. To my surprise I realized it is because of my previous post on controlling RFI bots. In my last post I included a dork that is frequently scanned for, and in doing so made my own blog a target! Now whenever a bot searches for the dork I mentioned, my blog will be returned as a possible target. The site is not vulnerable of course so I thought I would turn this to my/our advantage.
I’ve cobbled together a little script that will read my web logs and spit out all the attack attempts and some stats as well. The script may result in some false positives so please take that into consideration. The suspected attacks and stats will be updated once a day and if things go well I may seed some more dorks into the blog to generate more hits.
Hopefully this will be a good source of live data for anyone wanting to research RFI attacks, please keep in mind that most of the attacking domains are compromised web servers themselves.
The details are on the left sidebar under “RFI Attacks”.
Dear Andrew,
you have “discovered” the core idea we are using in our Web Honeypot. If you present google a long list of dorks, you will get very attractive for RFI attacks.
Check out our project: trac.glastopf.org/trac
Greetings,
Lukas