[tor-talk] Blocking Shadowserver honeypots
Jan Reister
Jan.Reister at unimi.it
Mon Mar 21 08:13:44 UTC 2011
On 19/03/2011 00:02, Alexander Bernauer wrote:
> I don't quite understand how any attacker is trapped by a honepot
> that is publicly marked as being one. Furthermore, I don't know how
> this IRC bot is able to operate with mail and web ports only as my
> tor exit node is dropping everything else.
It is usually windows boxes compromised by mebroot or torpig malware,
trying to connect to their botnet control center wia http. Some of the
autogenerated CCC domains were precalculated and the domains registered
by shadowserver, ISC.org and the like as sinkholes/honeypots.
Jan
More information about the tor-talk
mailing list