New Zero-Day Vulnerability on the Horizon Again
Eniko Toth

New Zero-Day Vulnerability on the Horizon Again

After the Hello, Peppa!  zero-day botnet, our Attack Vector Miner detected another zero-day vulnerability. 

Some vulnerable websites contain an /ept/out.php file, which can work as an open proxy. Thats why the attacker scans the /ept/out.php file. Lets see an example: 

The number of these attacks started to increase on July 11th, and as we can see in the diagram below, the botnets activity is slowing down now. 

During the peak time, we experienced 15.000 attacks per day and most of them targeted only one of our customers. 

Between June 23rd and July 23rd there were more than 180.000 /ept/out.php scans. More than 80% of them came from the US.  

Heres a pie chart regarding the top five countries where the most /ept/out.php attacks originated from: 

The other attributes of the attacks (e.g., IP, User Agent, etc.) are varied, so its not worth analyzing the logs according to them. 

As you can see, BitNinja is a successful weapon against this zero-day botnet. With  BitNinja Pro, you dont have to worry for even one minute. ;) 

Stay safe our Ninja Fellow! 

Share your ideas with us about this article

Previous posts

New Botnet Has Been Discovered – “Hello, Peppa!”
Our Attack Vector Miner (based on AI) is a very effective tool to identify 0. day attacks. Here comes the first catch! Discovery of a New Botnet At the beginning of July, our Attack Vector Miner created a new cluster, filled with logs about a new type of botnet. We perceived the first incident on 16th June from an Indian IP address ( The first incident of the "Hello Peppa!" botnet Since then, we have detected more than 120.000 attacks of this botnet! The Behaviour of the “Hello, Peppa!” Botnet The specialty of this botnet is that the die ("Hello,...
WordPress hosting and the BitNinja WAF - How to do it right? (Part 3 - The BitNinja safe minimum ruleset)
In the preceding articles, I’ve talked a lot about the BitNinja safe minimum ruleset template and how you should enable it on your “/” location (or on “*/wp-admin/*” if needed) if you’re hosting mainly Wordpress websites. So I’d like to give you a little more explanation about the rules that are part of the safe minimum. There are currently 15 rules from the OWASP Core Ruleset in the BitNinja safe minimum ruleset template, after thorough testing and evaluation. These are part of the following categories: Scanner Detection (1 / 5) Protocol Attack (4 / 10) Local File Inclusion (2 /...