ZOMDir > Blog

Monday, 27 October 2014

Why are these bots visiting ZOMDir.com?

Roughly a month ago I discovered that ZOMDir.com is visited by a botnet. In the past the number of link updates is almost the same as the number of new links. See this screenshot of the stats on April,1 2014:

Recently I discovered by taking a look at the stats that the number of updated links (257,066) is much more than the number of new links (15,568).

Immediately I thought of bots, so I created honeypots to trap them. When I trap a bot, I log this. When it is a new IP address I add it to the page Bots.

So far I have collected more than 200 unique IP addresses.

These bots are visiting ZOMDir regularly. To monitor this in more detail I have added some extra logging. Here are the results.


The bots try to manipulate in salvo's of 5 attacks. That is in a few seconds time, from the same IP address, they tried 5 different texts.

For example at these times (UTC) bot visited ZOMDir.com:

  • 2014-10-25 18:26:10.183
  • 2014-10-25 18:26:11.600
  • 2014-10-25 18:26:12.328
  • 2014-10-25 18:26:13.306
  • 2014-10-25 18:26:13.814

These salvo's where at a more or less regular interval.

See these times rounded at minutes of the 10 most recent salvo's (at the moment I started writing this blog):

  • 2014-10-25 17:33 (
  • 2014-10-25 17:38 (
  • 2014-10-25 17:50 (
  • 2014-10-25 17:53 (
  • 2014-10-25 18:03 (
  • 2014-10-25 18:15 (
  • 2014-10-25 18:20 (
  • 2014-10-25 18:21 (
  • 2014-10-25 18:24 (
  • 2014-10-25 18:26 (

There are roughly 10 to 12 salvo's per hour. In other words, more than 1000 times a day these bots tries to manipulate ZOMDir.


Often the bots try to change the description of the link. I guess that the reason is that this is a textarea. This description will be shown as the tooltip text of the link.

Per salvo they try several texts. Examples of these texts are:

Jonny was here http://www.ohword.com/chemistry-homework-help-online/ cheap college history papers He has not spoken to his son since the former National Security Agency contractor left the United States for Hong Kong before news broke in June of the disclosures he made about U.S. surveillance programs.

I'd like to speak to someone about a mortgage <a href=" http://www.ohword.com/writing-a-research-proposal/#naturalists ">buy essay australia</a> Romney's critics scrutinized his investment record and often portrayed Bain as a corporate raider which profits at the expense of average Americans. They also combed through Bain's private equity portfolio to date to see how Romney benefits.

Please call back later http://www.ohword.com/someone-to-do-school-work-for-you/ can money buy love essay Although Facebook unblocked the link to "Unstoppable," Cameron's film still remains blocked on YouTube. So, he has called on his fans to rally around his cause once again, according to his Facebook page.

How do you know each other? <a href=" http://ziplinegear.biz/essay-writing-english/#repent ">buy college paperws</a> Part of the danger is how swimmers can disappear under the surface. Even in a clear pool, a swimmer&#8217;s movement can blur their presence. In a murky water pond, it&#8217;s even more dramatic. But the Wahooo system also helps lifeguards locate a downed swimmer, using a tracking device. Before, the best way to find a lost swimmer was to form a rescue line, sweeping the area step-by-step.

What do you like doing in your spare time? http://www.cafsowrag4development.org/do-essay-writing-services-work/ bestessayservices "There was another case of PAM possibly connected with Willow Springs in 2010. Based on the occurrence of two cases of this rare infection in association with the same body of water and the unique features of the park, the ADH has asked the owner of Willow Springs to voluntarily close the water park to ensure the health and safety of the public."


A lot of different URL's are used in these texts. Examples of these URL's are:

  • http://ziplinegear.biz/writing-a-college-term-paper/
  • http://barcelonaconsensus.org/by-a-research-paper-cheap-for-jean-piaget/
  • http://ziplinegear.biz/essay-writing-service-recommendation/
  • http://weimar.edu/essay-writing-service-in-il/
  • http://www.jacquelot.com/money-manage#engaged
  • http://buffalonavalpark.org/calculate-interest-rate/#flowing
  • http://buffalonavalpark.org/calculate-interest-rate/#peaceful
  • http://www.adexsus.com/site2/?p=get-payday-loan-bad-credit#solid
  • http://corkfilmcentregallery.com/about-us/
  • http://www.cafsowrag4development.org/do-essay-writing-services-work/
  • http://www.ohword.com/someone-to-do-school-work-for-you/
  • http://www.pensionfreedom.ie/best-fast-loans-no-credit-check
  • http://bikinginbarcelona.net/cash-keywords/
  • http://lawmt.com/lowest-apr-loan/

I have tested these URL's with Safe Browsing at a Glance and they are all probably safe. I was not that sure about that, so I started Sandboxie to take a look at some of these URL's.

The results are strange. Half of these links are not working (404 error, database error, just an empty page or an incomplete not working form), and the other half seems to be random normal sites. So I wonder why are these bots doing this? Just trying, peeking and poking to see if something gets broken?

If you have a better idea, or have a suggestion how to stop them, please let me know.




ZOMDir.com is a dynamic directory and a wiki
Everone is able to add a link in 10 seconds
To learn more view this Slideshare presentation

No comments:

Post a Comment