I'm seeing some strange happenings inside my honeypot logs. Several exploits/payloads are downloaders targetting the same URL, hxxp://www.altavista.com/image/randomlink, which from what I can tell does exactly what it says on the tin, and provides a 'random' page.
This has left me with two questions:
- Has anyone else seen the same?
- Exactly why would this be useful activity?
Best possibilities I can come up with is that this is potentially a test-run or demo, or potentially someone has dropped a new exploit script I've missed with some useless/demo shellcode and the skiddies haven't modified it to do anything useful.
Hopefully someone can stop my head from hurting.