=== Triggered rule ===
alert (msg:“smuggling Javascript inside an image”; headers_content:“image”; nocase; headers_re:“/^Content-Type.*image/mi”; body_re:“/<script/i”

=== Request URL ===
htxps://camo.phpbb.com/d1ab4ed70b8ffef25eaa857b92431a3d21afa818/687474703a2f2f3364692e636f6d75762e636f6d2f6d795f7369672f6d795f7369672e706870

=== Response headers ===
Server: nginx/1.0.15
Date: Sat, 23 Feb 2013 22:34:56 GMT
Content-Type: image/gif
Connection: keep-alive
Cache-Control: public, max-age=31536000
Camo-Host: localhost
X-Content-Type-Options: nosniff
Content-Length: 1985

=== Response body ===
GIF87a…<…,…<…“…L…#…y(F.T!..Mq.3R),N…i.]S…4.Z{&…yz…(x…R.S.8w…h…xHXy.8).G…I.9(Z…vj…J…V.6.f[.{.g.K…{‘<….l.<…i.<…,.]…n.’…|L.:.f.^.{mL.l.?..…>…I.k.L-…H.6D…[.|…‘SC.n…;…DP…dP……BX…#/…|…R/en…f.]!..#…I/…f0#?|.E2$x…8.^…y…Y…1}…_…N.?9…-….. .e...D.t[...W.!..+[.+.E[I.2........I.n .l..8R.~.;....i...;.n..Q#..:.cL.~K...a........s(.g.@.B....o.T?...x+u.o.^.....:._.....F.S..C.-q..7vf._.\@..+....-...../........{..S.w..'…}…-…..a…!..bz…#|.9c…$f.#…IX…^.L…+=…;W.|.@…~.8.!.6.y…2…Z.!.x…d.u… …l…)cb.'…w_…x…v.I…\Y%.4…g2&…N…kN.^.P…V.$.izj)…{.v…B.(…+…v…,F…;…Jj…v…G.Y…Z>:…i.|…R5…j…zm…*…g.)…ye…/.r(…HK.U.[.r.6…)nC…D-S0…KW…0K.^…1nav…m…m…r.Sv…|Y.0g!..k>…y.t…2.i.~f…M9.“…G…T.Vi.c…bUE.t:;M…<C…Y…O…‘…]w]Fk.&.>’=.Y.^…XH.+…;n…j…xk…C8G…&.7_…X.2+.x.N)…Y…6lI.VN…M…;{.7^…6…g>…Q…n|…E…5…/::…Z…Y…l.9…{.%+…XMR.9…m}T.YX@51…kh…~F.H($2.d…3…^v…<…”…B…f7…!.jxC…p.).!..88.U… …Pc…?s…,q.T…8y…|…<.!|YL|…O……$M…-E.9…Q…0…+…8.6.Bu
U…:…_h.[.…4.r…$…f…i…$…D…).wEm9.[L…<.IC…S…>…
.A.eD…9…1r…:h…>…5_v…)…D7…J:.l…8…L5l…r:.!=z…t…cNi8.z.:…E.D.SV..%…[…H.F.(t…v.q.2`….I…D(…z$<.KM…R.G…v.L%.6…g.T.J…C.G.r…R$.jy3…LMg…>U…
)A.y…V…TShQ.r.-…K%&!e.Q.J…J.Q…uf…T…I.>…+.7’.v…]h.F…?iT.@…db…0.aUp.
…>…+.i…6.(…$!”.(T.QV;…)-o…p.R…Gmg#R.Vv…-.q…*w…m.sAP…;.

. . . I get a connection refused.. The location line in the header above has redirected the request to: /count.php?b5955a00

Could this be part of a bot attack?
No according to me it is completely benign, see second attached image!

polonus

A lot of image hosters do not have security “as a first priority” to put it mildly. Read about the potential threat of this detection here:
http://sla.ckers.org/forum/read.php?11,17722 (thread started by Kon Trol).
Consider hacked captcha decoders etc. (HTML code embedded does not belong inside an image, could be abused maliciously and therefore should not be allowed by the image hoster)…
Also read this: http://www.mozdev.org/pipermail/firekeeper/2008-March/000080.html (message author = Camillio Casbas)
Netcraft does not flag this issue in Google Chrome nor does Malware Script Decoder…
Some images are being detected as FP’s: https://www.virustotal.com/en/file/1cb85f298200841db929674787b366b8d1368a5571e49926ad939fcfd236a730/analysis/1257192178/ → http://www.governmentsecurity.org/latest-security-news/kaspkersky-false-positive-in-gosearchgif.html

polonus