Attacks against a single PHP honeypot

The following graph shows attacks against a PHP honeypot which are trying to exploit several distinct flaws. The vulnerabilities attacked are Mambo remote code-inclusion as discussed above, AWStats configdir command injection, PHPBB admin_styles remote code-inclusion (note that this is different to the PHPBB flaw that Santy exploited), WebCalendar includedir remote code-inclusion and Coppermine Photo Gallery remote code-inclusion, in this case the problem with theme.php and THEME_DIR. We can see that the Mambo exploit is consistently popular but the usage of the AWStats vulnerability tails off towards the end of this period. Other exploits are only tried occasionally, such as the PHPBB flaw. Some sources attempt to exploit a single issue, while others try two or more. The total numbers of attacks observed during this period were as follows: Mambo 255, AWS 251, PHPBB 54, WebCalendar 9, Coppermine 10. Appendix D has individual graphs for each vulnerability.

phphop1

The following graph shows the mean number of attacks per unique source:

phphop3