Our site is currently "under abuse" from a botnet which is directing a small subset of internet users (not forum users) to a rarely used full page advertising URL and attempting to redirect the user, via that URL to other web sites. This is a kind of "spam" botnet; using a URL redirection method. This does not effect our regular forum members (except that it does increase the server load average).
Prior to discovery, most of these redirection URLs would result in a blank page (no ad) to the "outside user" because we are not using that ad campaign at the moment. However, after discovery of this botnet, we simply redirected the botnet "victims" to our Facebook page (to move them off the server, decrease server load, and extract some statistics about each botnet node).
Today, I wrote a small program to collect the IP addresses of each node of the botnet and perform some analysis by unique IP and country, etc. After this code runs for a while I will update this thread with these ongoing stats:
- total ips 3321
- unique ips 820
- unique countries 59
When the stats above stabilize a bit (unique IPs do not change often and countries are also "stable"), I will extract the longitude and latitude information for each IP from our geoip database and use the Google Map Engine to display the botnet on a global map.
Stay tuned for the pretty picture of this botnet
At the end of this posting time:
- total ips 3780
- unique ips 862
- unique countries 60