/*
* .htaccess
*/
<FilesMatch "^honeypot_image.png$">
AddType application/x-httpd-php .png
</FilesMatch>
/*
* honeypot_image.png
*/
<?php
// We're an image. Really!
header("Content-type: image/png");
// Only do the logging for the desired IP.
if ($_SERVER['REMOTE_ADDR'] == "1.2.3.4") {
// Log file location - use pid as name.
$log = "path/to/log/" . getmypid() . ".log";
// When?
$result = date("d.m.Y H:i:s T") . "\n\n";
// From where?
$result .= "Client Port: {$_SERVER['REMOTE_PORT']}\n\n";
// Maybe whatever it is handles cookies, then it might have interesting session data
session_start();
$result .= "Current Session: " . print_r($_SESSION, true) . "\n\n";
// ... and interesting cookies, too. :)
$result .= "Cookies: " . print_r($_COOKIE, true) . "\n\n";
// Catch all running processes
$result .= shell_exec("ps aux") . "\n\n";
// Get all connections including handling processes.
// (Requires netstat to be run as root, a temporary suid root helps)
$result .= shell_exec("netstat -anp") . "\n\n";
// Grab the server status. If it's an apache process, we get the script that way.
// (needs mod_status)
$result .= shell_exec("lynx -dump http://1.2.3.4/server-status"). "\n\n";
// Write to disk.
file_put_contents($log, $result, FILE_APPEND);
}
// Didn't I say we're an image? :)
echo file_get_contents("the_real_image.png");