So you might have gathered by now that my previous blog post claiming a ‘facebook 0day‘ didn’t really work. It was in fact, more of an experiment to see who would blindly run obfuscated code. The results where interesting needless to say.

Before we get cracking, there’s a good write-up of what’s more or less going on here :https://engineering.social/2015/05/02/sinkholing-script-kiddies/. Props to the author so I don’t have to bother re-explaining things 😛 Now let’s see the juicy data!

Over the period of just under two weeks, I got 1189 hits from the exploit. This narrowed down to 273 unique IP’s. We can presumably come to the conclusion that each skid ran the code on average 4 times before giving up!

Below is a map of all the IP’s plotted. Click on it for a more intractable version on my Github:

Honourable Mentions:

Whilst collecting data, I got some interesting referrers, requests, and general feedback from the online community. Here are some ones that stood out:

The Mod that obviously ran the code, and got butt-hurt:

Full reddit thread HERE

The log entry that made me laugh:

XXX.XXX.XXX.XXX - - [03/May/2015:20:13:45 +0100] "GET /i_run_obfuscated_code?YOU%20COULD%20AT%20LEAST%20BUY%20AN%20SSL%20CERT...%20:) HTTP/1.1" 200 2022 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64)..."

The Strange referrer:

https://mail.social.gov.tn/ (Tunisian Ministry of Social Affairs?)

HackForums; Skiddz trolling skiddz:

http://www.hackforums.net/showthread.php?tid=4813818

This was a fun experiment, and I hope to do more like it in the future. Until then, remember to always know your shit before running any ol’ software or code 😉