The file was quite large for most malware packages, at over 20 MB. Curiously I uploaded the file to VirusTotal and was quite surprised that it came back completely clean.
VirusTotal Analysis of csservers_redirecte_linux_hlds.zipAfter digging into the file further, I found that the file was actually a Counter Strike server?
Sure enough, more digging the more I verified the hacker had compromised my honeypot with the sole purpose of running a Counter Strike server.
I use the term hacker loosely because based upon the the attack, the person did not seem very knowledgeable outside of using his install scripts.
You can read the full attack logs on Google Drive.
This is the first time I've ever seen someone compromise a system to install a game server. I know there was a day when IRC chat bots were all the rage that people would compromise servers just to install them, but they're lightweight and don't generate a lot of traffic. A gaming server is going to generate a lot of traffic and CPU load, and surely would be noticed almost right away, right???
No comments:
Post a Comment