Article: How to protect a botnet. Recommendations and practical guidance.” trusted cvv shop

Article: How to protect your botnet

Today we are going to discuss a very important aspect of our work, which is always overshadowed, and try to cover this topic because it has become very important over the past few years. Nowadays we see that protection of a botnet is on the shoulders of the organizer of the whole infrastructure, however this point is not always taken into account and the result is getting into trackers at best and leaking access logs from the server at worst, with further consequences. This article will be useful both for beginners who are about to properly set up their own botnet, and for experienced comrades. We will examine the basic methods of protecting your infrastructure from: bloggers, trackers, hackers, reversers, hanypots, and other new-age ills Universal protection methods applicable to many products will be discussed. First, let’s define who our potential enemies are and how we will protect our crops from those willing to encroach on them!

1) Botnet Hackers

2) Viral Analysts and Reversers

3) Trackers

With the advent of resources like, every day could be the last day in the life of your botnet and some amount of your nerves. The question on everyone’s mind is: what to do? How to hide your trek from tracker? Let’s first define what these trackers are bothering us with. If you are contacted by a tracker, then your botnet will not have much time to live, because the quantity and quality of abuses coming from various companies such as SpamHaus, RSA… will exceed all the power of an abusive hosting. We will have to change the domain or IP address, or outsmart the whole system. If we take a closer look at what the reports to the trackers include, we’ll see that usually the following paths are written there: a) the build ec file b) the config file c) the url-gate d) possibly the admin

The information is most likely pulled automatically from the sample. The easiest, yet most effective way to avoid being hit, is to use additional protection which will avoid direct links to files. The structure should be based on several steps: 1) An intermediate authorization script, which distinguishes the real bots from the direct hits (check HTTP_REFERER, BOT_ID, authorization keys, embedded in the builder) and decides whether to give files or not. 2) Since we’re dealing directly with gate, it’s nice to create middleware script, which can be inserted into build instead of gamete and can be used as a link between real gate and intermediate host. In other words, this will be a script of data forwarding to the real gate. 3) Use non-standard client-server encryption. This way, even if we get into the tracker, our real host remains out of reach, as it will be the intermediate host, which can be any ftp account. Ideally, to confuse the tracker, you can issue a completely extraneous config .exe file that will lead the trail to a completely different server. Recommendation 10: Always make multiple builds, to different intermediate hosts. If 1 goes down, all the others will live. Allocate the risks correctly. Make sure your software is capable of responding to trackers properly.

3) Bloggers

Persons like these are interested in the insides of your botnet: what you’re downloading, how you’re downloading it, and what it’s all for. Usually, they publish research on the insides, but their interest lies directly in the stats, which means they want to get into the admin panel at any cost. How to protect your admin panel in 5 minutes is what we will talk about next. Due to the fact that your web server supports .htaccess files (additional configuration file for the web server Apache, as well as similar servers. It allows you to setup many advanced options and permissions for running web server in some directories (folders), such as controlled directory access, reassigning file types, etc.), you can easily and flexibly protect your admin panel from hackers by putting additional login authorization, or limiting access by IP address. Let’s start simply by adding extra authorization to your Troy’s web admins script. To do this, we will go to the webadmin’s folder and create a file called .htaccess and type in the following:

Files adminka.php AuthName Login Zone AuthType Basic AuthUserFile /unix/put/do/saita/.htpasswd require valid-user /Files

adminka.php name of your admin script. AuthUserFile /unix/put/do/saita/.htpasswd here write the path to the future file, do not put it in the folder public_html, let it lie just above this folder. The path to the site can be found by creating a file infogetphp.php with the contents: ? phpinfo(); ? Now create a .htpasswd file in the directory we have specified above under AuthUserFile, just go toи and type in the username and password we want. We will get something like aa:$apr1$KGVmuy2N$z.bjadhDH7Nz7eZGuL5CD/ and we will save this string to a .htpasswd file (without the quotes). That’s it, authorization is set. Now we have 2 passwords to get into the admin area: even if an attacker, thanks to SQL injection, got the password from the admin area, the second authorization will be a big trouble for him.

If you want your web admin to open only from 1 IP address (it should be a VPNA or Socksa IP, of course), you should write the following content into .htaccess file:

Order Deny,Allow Deny from all Allow from is your IP address. Рис 1. Additional authorization when logging into the admin area.

Also, if you have any directories where uploaded content from bots goes (video-grabbing results, certificates etc.) go to that directory and create there a .htaccess file For example, in zeus it is _reports folder (be sure to rename it during installation too!) Write there the following:

php_flag engine 0

This directive in the file disables the execution of any php scripts in the directory, so if you already have some shells uploaded, it won’t be a big deal.

If you want to disallow direct access from the web to a folder, create a .htaccess file in the directory you wish to access, with this content:

Order Deny, Allow Deny from All

4) The Magic Pill

Install Nginx and GeoIP:

Just in case, let’s update the GeoIP databases:

In the Nginx configuration file, /etc/nginx/nginx.conf, add code to the http section:

geoip_country /usr/share/GeoIP/GeoIP.dat; map $geoip_country_code $bad_country { default 1; include geo/good_countries; }

We have connected the GeoIP.dat file and specified the $bad_country variable, as well as a good_countries file in which we will specify the countries from which access is allowed. Next, in the location we are interested in, for example /, let’s add the user blocking condition:

location / { proxy_pass; proxy_redirect /; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; if ($bad_country){ return 404; } }

Where is the IP of your site. Fill the file geo/good_countries. Since we use the variable $geoip_country_code, the country codes must be represented as two-letter abbreviations. For example, for the UK, the code would be UK. In the good_countries file, the list of countries should be arranged accordingly: RU 0; UA 0; US 0; Рис2. Example of nginx.conf with GeoIP module.

That’s it. Simply remove the unwanted country from the good_countries file or add the desired country to it to allow access.

If you don’t understand how to do it on your server, or you are not sure how to handle it, don’t skimp on the administration of your server! Hire the help of a competent sysadmin, preferably someone who specializes in failover and heavy-touch projects. The cost of such monthly administration services is $100-$300 on average, involve competent specialists in your projects, they can be useful at any time.

And a few last tips: 1) Don’t give the same email addresses and personal information when registering domains. It will be easy to find all your domains by 1 email or address. Use services like 2) Don’t use public antivirus file scanning services like All samples are sent directly to AV companies. 3) Never create anything with root privileges, use a dedicated limited account on the server system. Use ftp instead of ssh. 4) If you do get hacked, delete your account completely and recreate it from scratch. If you suspect the whole server is compromised format the OS and reinstall, rootkit-chunters are not likely to help you. Also, look for extraneous scripts and files in places with available rights (chmod 777, 666) and remove them, then close write rights and analyze web server access_log.

We wish you all a productive and safe work! In future articles, we will cover botnet optimization and performance, as well as the basics of automating a number of routine processes.

AquaBox (C) 2012 Citadel Software When copying this article, attribution is required.

trusted cvv shop

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *