HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 45 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Incident Responsearrow Altavista randomlink???
EH-Net
May 25, 2013, 08:38:14 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Altavista randomlink???  (Read 9771 times)
0 Members and 1 Guest are viewing this topic.
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« on: April 30, 2009, 05:35:16 AM »
Hi All,

I'm seeing some strange happenings inside my honeypot logs. Several exploits/payloads are downloaders targetting the same URL, hxxp://www.altavista.com/image/randomlink, which from what I can tell does exactly what it says on the tin, and provides a 'random' page.

This has left me with two questions:
  • Has anyone else seen the same?
  • Exactly why would this be useful activity?

Best possibilities I can come up with is that this is potentially a test-run or demo, or potentially someone has dropped a new exploit script I've missed with some useless/demo shellcode and the skiddies haven't modified it to do anything useful.

Hopefully someone can stop my head from hurting.
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
LSOChris
Guest
« Reply #1 on: April 30, 2009, 08:07:37 AM »
just testing outbound connectivity so they dont do something dumb like run the payload on a honeypot?
Logged
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #2 on: April 30, 2009, 08:45:17 AM »
Cheers Chris, hadn't thought of that (obviously), I've had the system running over a year and haven't noticed similar events. Just thought I might have uncovered something interesting, no such luck it seems.....
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
unsupported
Sr. Member
****
Offline Offline

Posts: 318


Unofficial Newbie Moderator


View Profile
« Reply #3 on: April 30, 2009, 10:03:23 AM »
Sounds like a good thing to report to the SANS ISC (http://isc.sans.org/).  This can be quickly posted out to the rest of the internet for some feedback/visability.
Logged
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.053 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.