Title: Altavista randomlink???
Post by: Andrew Waite on April 30, 2009, 05:35:16 AM

Hi All,

I'm seeing some strange happenings inside my honeypot logs. Several exploits/payloads are downloaders targetting the same URL, hxxp://www.altavista.com/image/randomlink, which from what I can tell does exactly what it says on the tin, and provides a 'random' page.

This has left me with two questions:

Has anyone else seen the same?
Exactly why would this be useful activity?

Best possibilities I can come up with is that this is potentially a test-run or demo, or potentially someone has dropped a new exploit script I've missed with some useless/demo shellcode and the skiddies haven't modified it to do anything useful.

Hopefully someone can stop my head from hurting.

Title: Re: Altavista randomlink???
Post by: LSOChris on April 30, 2009, 08:07:37 AM

just testing outbound connectivity so they dont do something dumb like run the payload on a honeypot?

Title: Re: Altavista randomlink???
Post by: Andrew Waite on April 30, 2009, 08:45:17 AM

Cheers Chris, hadn't thought of that (obviously), I've had the system running over a year and haven't noticed similar events. Just thought I might have uncovered something interesting, no such luck it seems.....

Title: Re: Altavista randomlink???
Post by: unsupported on April 30, 2009, 10:03:23 AM

Sounds like a good thing to report to the SANS ISC (http://isc.sans.org/). This can be quickly posted out to the rest of the internet for some feedback/visability.

EH-Net

Ethical Hacking Discussions and Related Certifications => Incident Response => Topic started by: Andrew Waite on April 30, 2009, 05:35:16 AM