When my honeypots are compromised, this command is frequently run:
Always piped into a jsp, then it's attempted to put it into .php, html (because it fails initially, obviously)...Code:echo "ÕÙ»½" > index.jsp;
Which is odd, because it doesn't do anything special in browsers. Those characters aren't google friendly either, making it hard to see what's been discussed about it.
Any ideas why this is so frequently attempted? Why are many different attackers using it, and why don't they choose an alternative such as "d3f4c3d by 50d4p0p1n5ky"
I'm assuming the attackers dont' know either... they're just picking it up somewhere. That's how the logs read too.
Reply With Quote