[tor-talk] Blocking Shadowserver honeypots

Jan Reister Jan.Reister at unimi.it
Mon Mar 21 08:13:44 UTC 2011


On 19/03/2011 00:02, Alexander Bernauer wrote:
> I don't quite understand how any attacker is trapped by a honepot
> that is publicly marked as being one. Furthermore, I don't know how
> this IRC bot is able to operate with mail and web ports only as my
> tor exit node is dropping everything else.

It is usually windows boxes compromised by mebroot or torpig malware,
trying to connect to their botnet control center wia http. Some of the
autogenerated CCC domains were precalculated and the domains registered
by shadowserver, ISC.org and the like as sinkholes/honeypots.

Jan


More information about the tor-talk mailing list