UFONET – Open Redirect DDoS tool

UFONet is an open redirect DDoS tool designed to launch attacks against a target, using insecure redirects in third party web applications, like a botnet. Obviously, only for testing purposes.

UFONet – Open Redirect DDoS Tool

The tool abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc.

Definition of an “Open Redirect”:

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.




MCMC investigates The Malaysian Insider for spyware reports.


Malaysian Communications and Multimedia Commission (MCMC) is investigating the news report issued by local online news portal, The Malaysian Insider, at around 3:00 pm yesterday with the headline stating “Malaysia Uses Spyware against Own Citizens, NYT Reports”.

MCMC would like to state that this report is speculative and ill- researched.

More story – http://mole.my/content/mcmc-investigates-malaysian-insider-spyware-reports#.UUKw9nBPOag.twitter

Mandiant APT1 – Exposing One of China’s Cyber Espionage Units


“China’s economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy.

Beijing is waging a massive trade war on us all, and we should band together to pressure them to stop. Combined, the United States and our allies in Europe and Asia have significant diplomatic and economic leverage over China, and we should use this to our advantage to put an end to this scourge.”1

— U.S. Rep. Mike Rogers, October, 2011

“It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.”2

— Chinese Defense Ministry, January, 2013

If you are looking for something interesting and latest news on internet security and cyber war, stop and read this
report form Mandiant: Last couple of week, Mandiant from private security company in USA
has released report including analysis of China’s cyber espionage unit.

Download Mandiant APT1 here: Mandiant_APT1_Report

Scapy – Easy way to scan available IPs in LAN using ARP reply.

To perform ARP Ping scan, use this command on scapy. 

>>> ans,unans=srp(Ether(dst=”ff:ff:ff:ff:ff:ff”)/ARP

(pdst=”″),timeout=2) Begin emission:

………….*………………Finished to send 256 packets.

………….* Continue reading

SSH Honeypotting – Bad guy in action.

SSH Server allows remote control and access the system. This article, I would like to present my analysis from captured files and activities by the attacker, which is trapped in our SSH-Honeypot.

In here also I am going to post several videos or playback screen of the attackers activity in my honeypot.


As few months back, I have launched my project  “Capturing Malware with Honeypot on Unifi https://wnnsnn.wordpress.com/2012/09/19/malware-honeypot-on-unifi-dionaea/

Basically this project is something I interested in and is able to publish this to public base on my finding.

An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connection are popular use cases for a SSH server.

SSH Server has been used widely by private sectors and government – example SSH Server has been deployed in DNS Server, Mail Server and mostly Linux & UNIX servers.

I would like to start this post with statistic and results  I got from my honeypot.

Top 10 SSH clients

This vertical bar chart displays the top 10 SSH clients used by attackers during their hacking and total detected attempts.

SSH Client Version

Top 10 usernames

This vertical bar chart displays the top 10 usernames that attackers try when attacking the system.

Top Username Been Used

Play back screen – watch this:

This video shows the attacker activity after they managed to guess password from my running kippo.

Play back screen – From log file – Deleting history and logs file from the attacker.

On this video you will find few methods and commands executed by the attacker in order to remove and to hide their activities.

From log file – wget commands

The following table diplays the latest “wget” commands entered by attackers in the honeypot system.

Screen shot 2013-01-29 at 10.40.32 AM