Every now and then I like to visit black-hat community forums for a number of legitimate reasons. I like to see what the other side are up to, what they are buying/selling, at what price, who they are targeting, the skill level of the attackers, what exploitation techniques they use, etc. Visiting these underground community forums passively can be a great learning experience.
I had read stories about servers or web servers more specifically being targeted over personal computers for their use in DDoS attacks. Using a server rather than a client as a zombie means that the attackers have higher bandwidth, RAM, CPU and other resources at their disposal. Servers are generally more secure than clients as you would expect the people who set them up and manage them have a greater awareness of the risks involved. Although servers are generally more difficult to compromise, compromising 100 servers may be worth more than 1000 clients.
While browsing a particular black-hat community forum I came across a post by a user who wanted to purchase compromised web servers and made a particular request that the servers should have his supplied PHP script pre-uploaded.
The PHP script was named ‘shell.php’ and contained the following lines;
$rand = rand(1,65000); $fp = fsockopen('udp://'.$host, $rand, $err, $errstr, 5);