OWASP Honeypot Example #1

gistfile1.txt

--VSvmJH8AAQEAAFev-sYAAABf-A--
[13/Apr/2015:15:52:07 +0000] VSvmJH8AAQEAAFev-sYAAABf 62.210.93.179 33589 192.168.0.222 3128
--VSvmJH8AAQEAAFev-sYAAABf-B--
POST http://REDACTED/hostdata21.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: REDACTED
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 1361
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

--VSvmJH8AAQEAAFev-sYAAABf-C--
data=eyJpZCI6MjA2NiwidHlwZSI6InRleHRcL3BsYWluIiwiZnJvbSI6Im1hcmtrZXRAcm8ucnUiLCJuYW1lIjoi0JLRj9GH0LXRgdC70LDQsiIsInRvIjoic2FtaXRpc3RAbWFpbC5ydSIsInN1YmoiOiI9P3V0Zi04P0I/MEtEUWxkQ2EwSnZRa05DYzBKQWcwSnZRcnRDUjBLdlFwU0RRb3RDZTBKTFFrTkNnMEo3UWtpRFFtQ0RRbzlDaDBKdlFvOUNUSU5DU0lOQ2gwSlhRb3RDWT89IiwidGV4dCI6ItCU0L7QsdGA0YvQuSDQtNC10L3RjFxuXG7QnNC10L3RjyDQt9C+0LLRg9GCINCS0Y/Rh9C10YHQu9Cw0LIuINCvINC30LDQvdC40LzQsNGO0YHRjCDQv9GA0L7RhNC10YHRgdC40L7QvdCw0LvRjNC90L4gZS1tYWlsINGA0LDRgdGB0YvQu9C60LDQvNC4LiBcblxu0Jog0JLQsNC8INC10YHRgtGMINC/0YDQtdC00LvQvtC20LXQvdC40LUgLSDQktCw0YjRgyDRg9GB0LvRg9Cz0YMg0LjQu9C4INGC0L7QstCw0YAg0YHQtNC10LvQsNGC0Ywg0LIg0LLQuNC00LUg0L/RgNC10LTQu9C+0LbQtdC90LjRjyDQuCDRgNCw0YHQv9GA0L7RgdGC0YDQsNC90LjRgtGMINC10LPQviDRjdC70LXQutGC0YDQvtC90L3QvtC5INC/0L7Rh9GC0LUg0LrQvtC90LrRgNC10YLQvdC+0Lkg0L7QsdC70LDRgdGC0Lgg0LHQuNC30L3QtdGB0LAuXG5cbtCf0YDQtdC00LvQsNCz0LDRjiDRgNCw0YHQv9GA0L7RgdGC0YDQsNC90LjRgtGMINCS0LDRiNC1INC/0YDQtdC00LvQvtC20LXQvdC40LUg0L/QviDQu9GO0LHQvtC5INC90YPQttC90L7QuSDQsdCw0LfQtSDQtNCw0L3QvdGL0YUuXG5cbtCV0YHQu9C4INCy0L7Qt9C80L7QttC90L4gLSDRgdC+0L7QsdGJ0LjRgtC1INC/0L7QttCw0LvRg9C50YHRgtCwINCS0LDRiCDQktCw0Ygg0YLQtdC70LXRhNC+0L0g0LjQu9C4IHNreXBlLCDRjyDRgNCw0YHRgdC60LDQttGDICDQviDRgNCw0YHRgdGL0LvQutC1INC/0L7QtNGA0L7QsdC90LXQtS5cbiBcbtCX0LDRgNCw0L3QtdC1INCx0LvQsNCz0L7QtNCw0YDQtdC9INC30LAg0L7RgtCy0LXRgiwg0JLRj9GH0LXRgdC70LDQsi4ifQ==
--VSvmJH8AAQEAAFev-sYAAABf-E--
eyJpZCI6MjA2NiwiZnJvbSI6Im1hcmtrZXRAcm8ucnUiLCJuYW1lIjoiXHUwNDEyXHUwNDRmXHUwNDQ3XHUwNDM1XHUwNDQxXHUwNDNiXHUwNDMwXHUwNDMyIiwidG8iOiJzYW1pdGlzdEBtYWlsLnJ1IiwicmVzdWx0IjoiTk8iLCJ0aW1lIjoyLCJlcnJvcnMiOiI1NTAifQ==
--VSvmJH8AAQEAAFev-sYAAABf-F--
HTTP/1.1 200 OK
X-Powered-By: PleskLin
Content-Type: text/html
Via: 1.1 webproxy-3
Content-Length: 208

--VSvmJH8AAQEAAFev-sYAAABf-H--
Message: Warning. Operator GT matched 400 at ARGS:data. [file "/opt/wasc-honeypot/etc/crs/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "826"] [id "960208"] [rev "2"] [msg "Argument value too long"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: REDACTED"] [tag "OWASP_CRS/POLICY/SIZE_LIMIT"]
Apache-Handler: proxy-server
Stopwatch: 1428940324891340 2376793 (- - -)
Stopwatch2: 1428940324891340 2376793; combined=12103, p1=42, p2=11878, p3=2, p4=146, p5=35, sr=32, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8g
Engine-Mode: "DETECTION_ONLY"

--VSvmJH8AAQEAAFev-sYAAABf-Z--

data in header is a Base64 encoded JSON string containing the contact information and a message in Russian from some Vyacheslav: Google Translate translates the message as:

Hello My name is Vyacheslav. I have been a professional e-mail newsletters. To you have a suggestion - your service or product to make a proposal to extend it and e-mail a specific area of ​​business. I propose to extend your offer for any desired database. If possible - please inform your your phone or skype, I will talk about sending more. Thanks in advance for your reply, Vyacheslav.

Found your gist doing research on a different attempt (https://gist.github.com/rcbarnett/a08091a73f1071849685) and thought I'd comment on this one.

Thanks for the link to the HttpFileServer reference at PacketStorm. That's what I was hunting down :)

For future reference, any tips on "mapping" attack patterns like these to the actual vulnerable software out there being targeted so one can quickly assess whether the attempt could potentially affect them?

Thanks!