9 Apr
2019
9 Apr
'19
3:13 p.m.
Bang goes that part, of that theory then.
Kirbs
On 09/04/2019 15:03, Keith wrote:
Hosted on Debian.
On 2019-04-09 21:50, admins wrote:
Hmm
Not so long back I was gifted a (captured in the wild) bot script, so
could have a rummage through it to see how it worked.
It seemed to not only use a v fast scatter/gather ping method to
detect live hosts but also had a section of code that looked for
another botnet and did a takeover, using a passphrase that was
written into the script. Kinda looks like bot herders are also into
bot rustling. Either that or it was a botnet they had but lost the
C&C for, after a take down action. Not sure, it is not really my thing.
I am wondering if you were pestered by a small number of hosts from
stanford that were infected with something similar. The primary route
to infection would have been through a web exploit (Hence 80 and 443)
and its secondary route was to take over another botnet that usually
listens for C&C on 7777. If it is a common windows malware C&C port
then it follows that the hosts pestering you were most likely (but
not guaranteed to be) windows.
Is your web server a windows OS ??
Why it fixated on your services I have no idea. Except for as you
have suggested that your services looked like there were more of them
than there were due to DNS aliasing. Hence why you saw more of it
than anyone else's fair share of pestering.
Cheers
Kirbs
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users