Comments on: Long list of IP addresses attacking a phpBB forum in May 2025 https://billauer.se/blog/2025/05/phpbb-attack-bots-ip-addresses/ Anything I found worthy to write down. Thu, 26 Mar 2026 13:15:15 +0000 hourly 1 http://wordpress.org/?v=3.1.2 By: SeeM https://billauer.se/blog/2025/05/phpbb-attack-bots-ip-addresses/comment-page-1/#comment-1882 SeeM Fri, 06 Mar 2026 03:48:03 +0000 https://billauer.se/blog/?p=7156#comment-1882 Hi. Nice try indeed. (-: Those are likely bots working on datasets for big AI models. They ignore every http status code You throw on them. You can try https://github.com/TecharoHQ/anubis , or https://iocaine.madhouse-project.org/ , which are turning costs of running the botnet on the botnet itself, rather then on Your servers. Hi.

Nice try indeed. (-: Those are likely bots working on datasets for big AI models. They ignore every http status code You throw on them. You can try https://github.com/TecharoHQ/anubis , or https://iocaine.madhouse-project.org/ , which are turning costs of running the botnet on the botnet itself, rather then on Your servers.

]]> By: Web Admin 1 https://billauer.se/blog/2025/05/phpbb-attack-bots-ip-addresses/comment-page-1/#comment-1847 Web Admin 1 Sun, 03 Aug 2025 17:51:05 +0000 https://billauer.se/blog/?p=7156#comment-1847 Most likely a variant of this bot net https://asec.ahnlab.com/en/89083/ About screenshots and UIs: The screenshots of SVF in the ASEC article depict the Discord-based C2 interface, typical of recent Discord-abusing malware but dissimilar to the classic minimalist CLI/IRC UIs in Mirai and Gafgyt. Graphical or web dashboard control is uncommon in classic botnet code but growing in “commodity” botnet marketing. Distinctive aspects: SVF is not a direct clone of any particular existing botnet, but combines traits found in: Mirai (infection method, DDoS focus) Mozi and XorDDoS (modular Python, Linux/SSH targeting) Newer Discord-controlled malware (communication channel and group management) No attribution to a famous family: While SVF reuses common attack chains and open-source libraries (like discord.py), it is not explicitly identified as a variant or renamed version of Mirai, Gafgyt, or Mozi in current threat intelligence. The Discord C2 and proxy automation are relatively novel combinations for Linux DDoS botnets as of mid-2025 . Conclusion: SVF botnet’s architecture and screenshots are most similar to new-generation, modular Linux DDoS botnets (e.g., Mozi, Python-based IRC/Discord bots) but are unique in integrating Discord C2 and proxy-scraping in a Linux brute-force SSH campaign. It does not entirely clone any single previous botnet but instead blends several established techniques into a new package Most likely a variant of this bot net

https://asec.ahnlab.com/en/89083/

About screenshots and UIs:

The screenshots of SVF in the ASEC article depict the Discord-based C2 interface, typical of recent Discord-abusing malware but dissimilar to the classic minimalist CLI/IRC UIs in Mirai and Gafgyt. Graphical or web dashboard control is uncommon in classic botnet code but growing in “commodity” botnet marketing.

Distinctive aspects:

SVF is not a direct clone of any particular existing botnet, but combines traits found in:

Mirai (infection method, DDoS focus)

Mozi and XorDDoS (modular Python, Linux/SSH targeting)

Newer Discord-controlled malware (communication channel and group management)

No attribution to a famous family:

While SVF reuses common attack chains and open-source libraries (like discord.py), it is not explicitly identified as a variant or renamed version of Mirai, Gafgyt, or Mozi in current threat intelligence. The Discord C2 and proxy automation are relatively novel combinations for Linux DDoS botnets as of mid-2025

.

Conclusion:

SVF botnet’s architecture and screenshots are most similar to new-generation, modular Linux DDoS botnets (e.g., Mozi, Python-based IRC/Discord bots) but are unique in integrating Discord C2 and proxy-scraping in a Linux brute-force SSH campaign. It does not entirely clone any single previous botnet but instead blends several established techniques into a new package

]]> By: Santeri https://billauer.se/blog/2025/05/phpbb-attack-bots-ip-addresses/comment-page-1/#comment-1839 Santeri Mon, 09 Jun 2025 05:35:12 +0000 https://billauer.se/blog/?p=7156#comment-1839 Blocking IPs in firewall is likely to cause colleteral damage and is laborious unless you automate it in which case it will cause even more collateral damage. As the deny list grows, it will also start slowing the system. My forum is getting currently over 9000 requests per minute and I found a way to disconnect them all before they reach phpBB and overload database server. Blocking IPs in firewall is likely to cause colleteral damage and is laborious unless you automate it in which case it will cause even more collateral damage. As the deny list grows, it will also start slowing the system. My forum is getting currently over 9000 requests per minute and I found a way to disconnect them all before they reach phpBB and overload database server.

]]>