Recently one of our honeypots was it by an attacker and in the process we were able to gather a bunch of good intelligence on the actions taken by the attacker.
I write and detail the forensics of the attack in my latest post, for Sucuri: Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I. My goal is to put out a part II next week in which we break down the shell used.
All in all, it was pretty interesting and amusing at the same time. Any questions or insight let me know.