I’m seeing some strange happenings inside my honeypot logs. Several exploits/payloads are downloaders targetting the same URL, hxxp://www.altavista.com/image/randomlink, which from what I can tell does exactly what it says on the tin, and provides a ‘random’ page.
This has left me with two questions:
Has anyone else seen the same?
Exactly why would this be useful activity?
Best possibilities I can come up with is that this is potentially a test-run or demo, or potentially someone has dropped a new exploit script I’ve missed with some useless/demo shellcode and the skiddies haven’t modified it to do anything useful.
Cheers Chris, hadn’t thought of that (obviously), I’ve had the system running over a year and haven’t noticed similar events. Just thought I might have uncovered something interesting, no such luck it seems…..