fsebugoutzone.org:9999

       Post AR6os92AP9BQlFj3x2 by r000t@infosec.exchange
 (DIR) More posts by r000t@infosec.exchange
 (DIR) Post #AR6mtPZiBuHsRYtOhk by lippard@infosec.exchange
       2022-12-29T19:20:52Z
       
       0 likes, 1 repeats
       
       I own the discord[.]org domain, which I registered a long time ago due to my fondness for Robert Anton Wilson and Robert Shea&#39;s Illuminatus! trilogy. A couple of years ago I started getting lots of mis-directed traffic due to the rise in popularity of Discord; I set up some redirection to help people find the right place. Now, since last month I&#39;ve started getting lots of. weird web traffic using Roblox user agents (mainly Windows and Android), which I suspect may also be Discord-related, but I am not sure of the origin--there is no HTTP referrer clue.
       
 (DIR) Post #AR6nRmXbJJnlW7IIls by lippard@infosec.exchange
       2022-12-29T19:22:33Z
       
       0 likes, 0 repeats
       
       Here&#39;s what one of these HTTP GET requests looks like: GET /ecooUVw%20Dk}38:%80m%82Q9!hETYA-KsZ6D^/iDFj94bcO`%80uyGk*}ya.58%26H]v4%80!RcYP HTTP/1.1
       
 (DIR) Post #AR6nRnCMrkPZYYMrJY by lippard@infosec.exchange
       2022-12-29T19:25:39Z
       
       0 likes, 0 repeats
       
       I&#39;ve not found any common characters or sequences in the requests (though I&#39;ve only eyeballed it, so far), and they come from lots of different IPs, both IPv4 and IPv6. At the moment I&#39;m just blocking the IPs but it&#39;s not a great mitigation strategy. There are some that hit repeatedly, others that do it only once or twice. There are also some unusual requests that seem to have recursive URIs embedded in the request repeatedly.
       
 (DIR) Post #AR6nRo6NVVDMMGZacK by r000t@infosec.exchange
       2022-12-29T19:27:43Z
       
       0 likes, 1 repeats
       
       @lippard This sorta reminds me of a problem that mastodon.social was having with FiveM servers (which I believe is a GTA modification that&#39;s really, really popular)The code for FiveM was either showing a news feed from, or fetching update data or something similar, from a mastodon.social profile. And literally every player of this popular mod was just slamming Eugene&#39;s equipment. I believe he ended up blocking all the requests manually. https://mastodon.social/@Gargron/106512564764833865
       
 (DIR) Post #AR6os92AP9BQlFj3x2 by r000t@infosec.exchange
       2022-12-29T19:22:58Z
       
       1 likes, 0 repeats
       
       @lippard You gotta pull a mikerowesoft... At least throw Mastodon on that domain.
       
 (DIR) Post #AR6wTK2ACsrVjWBVgG by LucasVL@fedi.lucasvl.nl
       2022-12-29T21:12:56.810434Z
       
       0 likes, 0 repeats
       
       @lippard setup a phishing scam and profit