Types of Hosts on a Remote File Inclusion (RFI) Botnet

Web server attacks are increasingly in short time for different purposes, one of the principal vectors of this attacks are RFI and even the automatic way to do this. We suppose that in a botnet involved in RFI attacks, the attackers (host that launch the attack) are web servers compromised since the natural format of the attack and the tool (remote file to include). So we go deeper identified the type of host that is the attacker through a remote analysis based on domain name, content, and dynamic ip addresses.A large botnet involved in RFI attacks was tracked by almost a year and we figure out the behavior and the kind of host are the attackers and the hosters. This track were made by one University web server logs, compared with other sources. The interesting facts founded here are related to the botnet selected to study. This botnet is formed by other kind of hosts, not web servers at all. And the tool used to compromise web server is a very general shell. Other contribution of this work is a methodology for tracking RFI botnets, that could be used in real time or for historical data.