Untitled

/*
 * .htaccess
 */
<FilesMatch "^honeypot_image.png$">
    AddType application/x-httpd-php .png
</FilesMatch>

/*
 * honeypot_image.png
 */
<?php
// We're an image. Really!
header("Content-type: image/png");

// Only do the logging for the desired IP.
if ($_SERVER['REMOTE_ADDR'] == "1.2.3.4") {

    // Log file location - use pid as name.
    $log = "path/to/log/" . getmypid() . ".log";

    // When?
    $result = date("d.m.Y H:i:s T") . "\n\n";

    // From where?
    $result .= "Client Port: {$_SERVER['REMOTE_PORT']}\n\n";

    // Maybe whatever it is handles cookies, then it might have interesting session data
    session_start();
    $result .= "Current Session: " . print_r($_SESSION, true) . "\n\n";
    // ... and interesting cookies, too. :)
    $result .= "Cookies: " . print_r($_COOKIE, true) . "\n\n";

    // Catch all running processes
    $result .= shell_exec("ps aux") . "\n\n";

    // Get all connections including handling processes.
    // (Requires netstat to be run as root, a temporary suid root helps)
    $result .= shell_exec("netstat -anp") . "\n\n";

    // Grab the server status. If it's an apache process, we get the script that way.
    // (needs mod_status)
    $result .= shell_exec("lynx -dump http://1.2.3.4/server-status"). "\n\n";

    // Write to disk.
    file_put_contents($log, $result, FILE_APPEND);
}

// Didn't I say we're an image? :)
echo file_get_contents("the_real_image.png");