the paths look like /Admina0e6cafd/index.php, where "a0e6cafd" is a hex string - but it's not random. it turns out it's the zero-padded hex encoded IP address of the sensor reversed. here's how the encoding works. 2/
-
-
Prikaži ovu nit
-
in Python for that hex string: '.'.join(str(netaddr.IPAddress(0xa0e6cafd)).split('.')[::-1]) ... which yields 253.202.230.160 (a deliberately random hex string and IP). now i know why queries for that path in Google yielded nothing. 3/
Prikaži ovu nit -
the attack works because of sensors - like mine - which automatically publish their findings often include evdidence about how they made their judgement, in this case the path queried by the bot. this is there to help an operator decide if the report is trustworthy. 4/
Prikaži ovu nit -
but in this case the appearance of their method in indicator feeds - in this case IP reputation feeds - would dump the sensor network's IP addresses. so anyone watching such feeds can figure out reporting sensors and poison them, avoid them, etc. 5/
Prikaži ovu nit -
again, this doesn't appear to be specific against my honeypots - i was able to figure it out because i queried the IPs that triggered my role in other sensor networks and saw different AdminHEX paths and figured it out from there. 6/
Prikaži ovu nit -
i don't know which botnet it is, but if you're the herder and know your botnet IPs and who is scanning for those generated paths, you can then cast queries for them in various indicator sharing sites and figure out their sensors. 7/
Prikaži ovu nit -
i don't know if this is the herder's end goal, but given the effects it seems like a deliberate sensor and reporter unmasking strategy. end/
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
I’m not at your level technically but can you please read my recent posts? I wrote some of the theory for data based mental health apps. Unintentionally. I’m very worried by what’s happened.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.