When protecting a set of small static websites against the onslaught of AI crawler bots, something like Anubis is a lot of effort to install.

So, I knocked up something that might help against the dumber bots, coded entirely inside nginx config so there's no other moving parts to install.

I've done some isolated testing but haven't installed it in anger yet - but I might add it to e.g. my blog and #Faircamp sites.

https://evilgeniusrobot.uk/posts/a-simple-bot-gatekeeper-for-nginx.html

Seems my unknown enemy has topped up his botnet account again and is sending thousands of IP addresses to try to brute-force their way in to my mailserver. Blocketyblocking all of them :)

Over the past 5 hours, my personal web server has received about ~56,000 requests, at a very regular rate of 3 requests per second, hitting every single link and in particular every single commit in the history of every single projects hosted on my #Gitea instance.

Those 56K requests came from 54,786 different IP addresses. 53,606 of those addresses were used only once, 1,129 were used twice, and the remaining 51 were used between 3 and 8 times.

None of those requests self-identified as a bot. They all had user-agents made to pretend they came from legitimate humans browsing the web with legitimate browsers. Because of course it is completely credible that 54K different humans would visit every single link on my website at a regular rate of three visits per second…

Those 54K IP addresses came from 21,865 different networks belonging to 7,139 different AS. Only a handful of autonomous systems made more than a dozen of requests – most of them made between 4 requests at most.

This can only be the behaviour of a #botnet. That’s the only way to get so many different IPs from so many different networks and AS.

The #genAI scourge continues.

For those keeping track, I'm now up to 1.3 million hits on my robot website in the last five days.

Those came from over 800,000 unique IP addresses. That's a staggering number.

If it keeps up at this rate it will hit over a million unique devices sometime tomorrow.

This is a giant #botnet, right? Like, one of the biggest out there?

I'm currently doing some mapping to ASNs, to see if there's patterns.

Previous reports (user-agents and country distributions):

https://evilgeniusrobot.uk/botnet-reports/

In the last three days, my tiny honeytrap robot has had *760,000* hits , nearly all unique URL paths, from *510,000* unique IP addresses and a wide range of user-agents.

This doesn't appear to be malicious as far as I can tell - I think it's just crawling the site (which is effectively an infinite labyrinth) - although why anyone would use a #botnet for that is confusing to me.

The site is handling it, for now, but the hit rate is increasing each day.

Half a million devices.. yikes.

A massive +268% increase in #Botnet C&C domain registrations at Indian-based PDR, putting it #1 in the Top 20 most abused domain registrars.

Find out which US-based registrar moved to #6, with a staggering increase of +297%.

Read the full report
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-january-to-june-2025/

BotnetCC #ThreatIntel

So my first evil genius robot honeypot, the word frequency one, seems to be getting hit by a distributed botnet.

It started around 2-3 requests per second but seems to be ramping up.

It's using IP addresses from all over the world - could be hacked personal devices? - and a wide range of plausible-looking User Agent strings.

My server is fine for now - 95% idle CPU.

Are there people for whom any of the IP or agent data might be useful? Botnet detectorists?

Mindestens 10 Millionen Android-Geräte weltweit sind laut #FBI von der #Malware #BadBox2.0 betroffen.

Die #Schadsoftware ist oft bereits beim Kauf in günstigen, meist aus #China stammenden #SmartDevices wie #Streamingboxen oder digitalen #Bilderrahmen vorinstalliert.

Sie ermöglicht kriminelle Aktivitäten wie #Klickbetrug oder #Botnet-Steuerung. Die #FBI empfiehlt, verdächtige Geräte sofort vom Internet zu trennen.

https://www.forbes.com/sites/daveywinder/2025/07/26/fbi-warning-to-10-million-android-users---disconnect-from-internet-now/

An unexpected cluster of malicious IPs in a remote U.S. town led GreyNoise researchers to uncover a 500+ device botnet. Full analysis: https://www.greynoise.io/blog/how-greynoise-uncovered-global-pattern-voip-based-telnet-attacks

Threat Actors Exploit Linux SSH Servers with SVF Botnet

Cybersecurity researchers have uncovered a new attack campaign in which threat
actors are targeting Linux SSH servers with weak credentials to deploy the, SVF
botnet a Python based DDoS malware. This botnet uses Discord as its command-
and-control (C2) platform allowing attackers to manage infected servers in real
time. The SVF botnet is capable of launching Layer 7 (HTTP flood) and Layer 4
(UDP flood) DDoS attacks turning compromised servers into powerful tools for
disrupting targeted systems.

Pulse ID: 6880a810b601758421acd5a4
Pulse Link: https://otx.alienvault.com/pulse/6880a810b601758421acd5a4
Pulse Author: cryptocti
Created: 2025-07-23 09:14:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Russisches DDoS Botnet abgeschaltet

Das BKA meldet einen Erfolg gegen politisch motivierte Cyber-Kriminalität. Weitere Sekundär-Meldungen gibt es beispielsweise hier oder hier. Die russische Formation NoName057(16) hat ihr gleichnamiges Botnet nur für DDoS-Angriffe benutzt - soweit wir bisher wissen. Die Angriffe richteten sich gegen "unliebsame"

https://www.pc-fluesterer.info/wordpress/2025/07/20/russisches-ddos-botnet-abgeschaltet/

Google sues Badbox 2.0 operators for infecting 10M+ devices - in a rare case of a tech giant actually fighting FOR user privacy! This botnet used pre-installed malware on smart TVs for ad fraud, proving sometimes the worst viruses come factory-installed

https://yro.slashdot.org/story/25/07/18/2212220/google-sues-operators-of-10-million-device-badbox-20-botnet

Happy "Logging in as users -, [ and $ day" to all who celebrate:

Jul 19 02:02:12 portal sshd-session[88959]: Failed password for invalid user - from 152.42.130.79 port 33738 ssh2
Jul 19 03:00:14 portal sshd-session[79691]: Failed password for invalid user [ from 152.42.130.79 port 41708 ssh2
Jul 19 03:58:56 portal sshd-session[6194]: Failed password for invalid user $ from 152.42.130.79 port 55398 ssh2

#Google sues to disrupt #BadBox 2.0 #botnet infecting 10 million devices

https://www.bleepingcomputer.com/news/security/google-sues-to-disrupt-badbox-20-botnet-infecting-10-million-devices/

Jan-Jun 2025 Botnet Threat Update out now!

Total of 17,258 botnet C&Cs observed, up by +26%.
Botnet C&Cs continue to drop for Bulgaria (-40%) and Mexico (-25%)
Pentest frameworks represent 43% of Top 20 malware associated with Botnet C&Cs.

Meanwhile, three US-based networks suffered significant increases for hosting the most active botnet C&Cs….

Find out which ones in the latest FREE report here
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-january-to-june-2025

Website owner? Not keen on the Mellowtel browser library building a botnet of untraceable scrapers from unwitting users who are using a browser plugin that contains Mellowtel? I've raised a GitHub issue for them to explain how much contempt they have for our consent. Join in, politely, make them look like the jerks they are. https://github.com/mellowtel-inc/mellowtel-js/issues/41

Our small team vs millions of bots

https://www.fsf.org/blogs/sysadmin/our-small-team-vs-millions-of-bots