Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: BTC pickpockets are back - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BTC pickpockets are back

About 8 months after their first visit, my server gets another visit from the Bitcoin pickpockets.

It's another IP address this time (again an VPN exit node), but the user agent string is exactly the same:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0

The requested filenames are identical, except for 4 new files/folders (3 of them highlighted in red in the picture below). The order of request is different from the first time.
It seems they made a small update to their script. The scan is much faster this time: about 4 minutes long compared to about 40 minutes the first time.

If you have observed this too or have a remark, please post a comment.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

296 Posts
ISC Handler
Hits from June 11, reported on June 51 [July 21] ?

How often do you review your log-files?

Maybe, it was me, trying to find BitCoin to send to my brother, on his birthday. :-)
Anonymous
Hmmm. The meta-data for my post, a few seconds ago, shows:
____________________

DidierStevens
90 Posts Posts
Reply Quote Edit
Jul 21st 2018
10 seconds ago
____________________


Not citing my ID, and "Posts Posts" is is redundantly redundant. :-)
Anonymous
Hmmm. That metadata for my first post now shows "Anonymous" and just one "Posts".

Nothing can go wrong, go wrong, go wrong, go wrong, go wrong, go wrong, go wrong ...
Anonymous

Sign Up for Free or Log In to start participating in the conversation!