[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Blocking Shadowserver honeypots

On 19/03/2011 00:02, Alexander Bernauer wrote:
> I don't quite understand how any attacker is trapped by a honepot
> that is publicly marked as being one. Furthermore, I don't know how
> this IRC bot is able to operate with mail and web ports only as my
> tor exit node is dropping everything else.

It is usually windows boxes compromised by mebroot or torpig malware,
trying to connect to their botnet control center wia http. Some of the
autogenerated CCC domains were precalculated and the domains registered
by shadowserver, ISC.org and the like as sinkholes/honeypots.

tor-talk mailing list