Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

I have seen some activity recently in a honeypot I run that shows some automated scanning for apache. The intent of this automated scan seems to be to seek out and join an Apache server to an IRC botnet using perl. (For those of you unfamiliar with these terms I attempt to define them below).

HoneyPOT (a computer that is intentionally setup as a sacrifice to impersonate well known services that would be used such as apache for a web server, MySQL for a database, etc.)

BotNET (a collection of computers that can be used by one or more people to hijack your computer and use it to launch attacks, send spam, etc.)

In my research I observed an attempt to run a script being hosted on a server in Spain (7soles.com) that is downloaded from a website. It is then executed using perl and can provide a host of services including flooding attacks and spam.

For those of you still reading I have included the link to the script here. It’s not rocket science but it looks like a nicely tested platform – resembling a point and click malware using Internet Relay Chat as a command and control channel. It also looks like it is currently designed to be reporting into a site in Germany.

For most of my contemporaries this is old news but for the rest of you, welcome to the new Internet. Looks a lot like any North American city in the downtown core – watch your purse and get a carry permit for a handgun.