I published the following diary on isc.sans.org: “Analyze of a Linux botnet client source code“.
I like to play active-defense. Every day, I extract attacker’s IP addresses from my SSH honeypots and perform a quick Nmap scan against them. The goal is to gain more knowledge about the compromised hosts. Most of the time, hosts are located behind a residential broadband connection. But sometimes, you find more interesting stuff. When valid credentials are found, the classic scenario is the installation of a botnet client that will be controlled via IRC to launch multiple attacks or scans… [Read more]