Altavista randomlink???

Viewing 3 reply threads
  • Author
    • #3745

      Hi All,

      I’m seeing some strange happenings inside my honeypot logs. Several exploits/payloads are downloaders targetting the same URL, hxxp://, which from what I can tell does exactly what it says on the tin, and provides a ‘random’ page.

      This has left me with two questions:

      • Has anyone else seen the same?
      • Exactly why would this be useful activity?

      Best possibilities I can come up with is that this is potentially a test-run or demo, or potentially someone has dropped a new exploit script I’ve missed with some useless/demo shellcode and the skiddies haven’t modified it to do anything useful.

      Hopefully someone can stop my head from hurting.

    • #23988

      just testing outbound connectivity so they dont do something dumb like run the payload on a honeypot?

    • #23989

      Cheers Chris, hadn’t thought of that (obviously), I’ve had the system running over a year and haven’t noticed similar events. Just thought I might have uncovered something interesting, no such luck it seems…..

    • #23990

      Sounds like a good thing to report to the SANS ISC (  This can be quickly posted out to the rest of the internet for some feedback/visability.

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?