.

Altavista randomlink???

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Apr 30, 2009 5:35 am

Altavista randomlink???

Hi All,

I'm seeing some strange happenings inside my honeypot logs. Several exploits/payloads are downloaders targetting the same URL, hxxp://www.altavista.com/image/randomlink, which from what I can tell does exactly what it says on the tin, and provides a 'random' page.

This has left me with two questions:
  • Has anyone else seen the same?
  • Exactly why would this be useful activity?

Best possibilities I can come up with is that this is potentially a test-run or demo, or potentially someone has dropped a new exploit script I've missed with some useless/demo shellcode and the skiddies haven't modified it to do anything useful.

Hopefully someone can stop my head from hurting.
<<

LSOChris

Post Thu Apr 30, 2009 8:07 am

Re: Altavista randomlink???

just testing outbound connectivity so they dont do something dumb like run the payload on a honeypot?
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Apr 30, 2009 8:45 am

Re: Altavista randomlink???

Cheers Chris, hadn't thought of that (obviously), I've had the system running over a year and haven't noticed similar events. Just thought I might have uncovered something interesting, no such luck it seems.....
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Apr 30, 2009 10:03 am

Re: Altavista randomlink???

Sounds like a good thing to report to the SANS ISC (http://isc.sans.org/).  This can be quickly posted out to the rest of the internet for some feedback/visability.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software