Bang goes that part, of that theory then.
Kirbs
On 09/04/2019 15:03, Keith wrote:
>
> Hosted on Debian.
>
> On 2019-04-09 21:50, admins wrote:
>
>> Hmm
>>
>> Not so long back I was gifted a (captured in the wild) bot script, so
>> could have a rummage through it to see how it worked.
>>
>> It seemed to not only use a v fast scatter/gather ping method to
>> detect live hosts but also had a section of code that looked for
>> another botnet and did a takeover, using a passphrase that was
>> written into the script. Kinda looks like bot herders are also into
>> bot rustling. Either that or it was a botnet they had but lost the
>> C&C for, after a take down action. Not sure, it is not really my thing.
>>
>> I am wondering if you were pestered by a small number of hosts from
>> stanford that were infected with something similar. The primary route
>> to infection would have been through a web exploit (Hence 80 and 443)
>> and its secondary route was to take over another botnet that usually
>> listens for C&C on 7777. If it is a common windows malware C&C port
>> then it follows that the hosts pestering you were most likely (but
>> not guaranteed to be) windows.
>>
>> Is your web server a windows OS ??
>>
>> Why it fixated on your services I have no idea. Except for as you
>> have suggested that your services looked like there were more of them
>> than there were due to DNS aliasing. Hence why you saw more of it
>> than anyone else's fair share of pestering.
>>
>>
>> Cheers
>>
>>
>> Kirbs
>>
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
