{"title":"Types of Hosts on a Remote File Inclusion (RFI) Botnet","authors":"H. Robledo","doi":"10.1109/CERMA.2008.60","DOIUrl":null,"url":null,"abstract":"Web server attacks are increasingly in short time for different purposes, one of the principal vectors of this attacks are RFI and even the automatic way to do this. We suppose that in a botnet involved in RFI attacks, the attackers (host that launch the attack) are web servers compromised since the natural format of the attack and the tool (remote file to include). So we go deeper identified the type of host that is the attacker through a remote analysis based on domain name, content, and dynamic ip addresses.A large botnet involved in RFI attacks was tracked by almost a year and we figure out the behavior and the kind of host are the attackers and the hosters. This track were made by one University web server logs, compared with other sources. The interesting facts founded here are related to the botnet selected to study. This botnet is formed by other kind of hosts, not web servers at all. And the tool used to compromise web server is a very general shell. Other contribution of this work is a methodology for tracking RFI botnets, that could be used in real time or for historical data.","PeriodicalId":126172,"journal":{"name":"2008 Electronics, Robotics and Automotive Mechanics Conference (CERMA '08)","volume":"44 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-09-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"17","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 Electronics, Robotics and Automotive Mechanics Conference (CERMA '08)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CERMA.2008.60","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 17
Abstract
Web server attacks are increasingly in short time for different purposes, one of the principal vectors of this attacks are RFI and even the automatic way to do this. We suppose that in a botnet involved in RFI attacks, the attackers (host that launch the attack) are web servers compromised since the natural format of the attack and the tool (remote file to include). So we go deeper identified the type of host that is the attacker through a remote analysis based on domain name, content, and dynamic ip addresses.A large botnet involved in RFI attacks was tracked by almost a year and we figure out the behavior and the kind of host are the attackers and the hosters. This track were made by one University web server logs, compared with other sources. The interesting facts founded here are related to the botnet selected to study. This botnet is formed by other kind of hosts, not web servers at all. And the tool used to compromise web server is a very general shell. Other contribution of this work is a methodology for tracking RFI botnets, that could be used in real time or for historical data.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
