Ask HN: Remote repos being used for C2 botnet, or VMS scan?

2 points

7 years ago

Observation: A number of external repos are having malicious looking repositories being created with the pattern ";[6 alphanum]<ScRiPt>[4 alphanum]([4 num])</;[6 alphanum]". For example ";0MhPC1<ScRiPt>r7kK(9626)</;CD4u6"

All appear to be running JFrog Artifactory

The remote repos we have identified are: http://repo.gradle.org/gradle/repo/ https://repo.datastax.com/dse/ https://maven.openflexo.org/artifactory/openflexo-deps/ https://qasymphony.jfrog.io/qasymphony/repo/

Possible Scenarios:

1 - Someone is running some kind of daily vulnerability scan against these repos. This is inadvertently testing the create repo name field for XSS which is then submitted, creating the repo.

2 - Repos are being created for use as a botnet communication channel - pretty clever in my opinion to use remote repos as a means to bypass internal network restriction.

Any owners able to tell if the creator is distributed?

1 comment