Bang goes that part, of that theory then.

Kirbs

Hosted on Debian. 

On 2019-04-09 21:50, admins wrote:

Hmm

Not so long back I was gifted a (captured in the wild) bot script, so could have a rummage through it to see how it worked.

It seemed to not only use a v fast scatter/gather ping method to detect live hosts but also had a section of code that looked for another botnet and did a takeover, using a passphrase that was written into the script. Kinda looks like bot herders are also into bot rustling. Either that or it was a botnet they had but lost the C&C for, after a take down action. Not sure, it is not really my thing.

I am wondering if you were pestered by a small number of hosts from stanford that were infected with something similar. The primary route to infection would have been through a web exploit (Hence 80 and 443) and its secondary route was to take over another botnet that usually listens for C&C on 7777. If it is a common windows malware C&C port then it follows that the hosts pestering you were most likely (but not guaranteed to be) windows.

Is your web server a windows OS ??

Why it fixated on your services I have no idea. Except for as you have suggested that your services looked like there were more of them than there were due to DNS aliasing. Hence why you saw more of it than anyone else's fair share of pestering.

Cheers

Kirbs

 

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users