

{"id":49243,"date":"2026-07-09T08:34:50","date_gmt":"2026-07-09T13:34:50","guid":{"rendered":"https:\/\/rud.is\/b\/?p=49243"},"modified":"2026-07-09T08:34:50","modified_gmt":"2026-07-09T13:34:50","slug":"your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/","title":{"rendered":"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It"},"content":{"rendered":"<h2>HMEFB: Anatomy of a Belarusian Worm<\/h2>\n<p>I found this story because of a <a href=\"https:\/\/infosec.exchange\/@sans_isc\/116887389774852050\">re-post on Mastodon<\/a> by Fritz Adalis regarding a suspicious <code>User-Agent<\/code> by Jason Callahan of SANS&#8217;s ISC. He found something odd in his DShield honeypot logs: a URI path that read <code>\/?_HELP_ME_ESCAPE_FROM_BELARUS_PLEASE_<\/code>. In the User-Agent header, an email address: <code>HelpMeEscapeFromBelarus@proton.me<\/code>.<\/p>\n<p>The SANS diary \u2014 <a href=\"https:\/\/isc.sans.edu\/diary\/33130\">isc.sans.edu\/diary\/33130<\/a> \u2014 laid out what Callahan found: around a dozen HTTP requests over a two-month period, from IPs scattered globally with no discernible pattern \u2014 pointing to a self-propagating bot rather than a single attacker. A Reddit thread on r\/selfhosted described the same requests hitting a Traefik reverse proxy. Someone in that thread emailed the address in the User-Agent and got a reply pointing to a page on a free web hosting service.<\/p>\n<p>I and Glenn Thorpe run a small fleet of honeypots in our scant spare time. After reading the SANS diary I pulled a PCAP of similar sessions our of our collector and started picking it apart. This contents of this post is what I found.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"49254\" data-permalink=\"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/hmefb-arc-copy\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?fit=2560%2C743&amp;ssl=1\" data-orig-size=\"2560,743\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;,&quot;alt&quot;:&quot;&quot;}\" data-image-title=\"hmefb-arc copy\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?fit=510%2C148&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?resize=510%2C148&#038;ssl=1\" alt=\"\" width=\"510\" height=\"148\" class=\"aligncenter size-full wp-image-49254\" srcset=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?w=2560&amp;ssl=1 2560w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?resize=300%2C87&amp;ssl=1 300w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?resize=530%2C154&amp;ssl=1 530w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?resize=150%2C44&amp;ssl=1 150w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?resize=768%2C223&amp;ssl=1 768w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?resize=1536%2C446&amp;ssl=1 1536w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?resize=2048%2C594&amp;ssl=1 2048w, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?w=1020&amp;ssl=1 1020w\" sizes=\"auto, (max-width: 510px) 100vw, 510px\" \/><\/a><\/p>\n<h3>Following the link<\/h3>\n<p>The page that Reddit user got pointed to (it&#8217;s also in one of the user agent strings) is <code>hmefb.fwh.is\/?i=1<\/code>, titled &#8220;HMEFB \/\/ PROJECT_ROOT&#8221;. It&#8217;s a manifesto from someone named Alex, a 27-year-old engineer living in Belarus. Full text is at that URL (NOTE: some &#8220;security&#8221; products flag it as unsafe). Here&#8217;s the skinny on it.<\/p>\n<p>Alex describes a self-propagating worm that scans random IP addresses for open HTTP and SSH ports. On HTTP:<\/p>\n<blockquote><p>\n  It scans random IP addresses for open HTTP ports (TCP 80, 8000, 8080, etc.) and SSH ports (TCP 22, 2222). If it finds an open HTTP port, it simply sends a request to the server using a random method (GET, CONNECT, or HEAD).\n<\/p><\/blockquote>\n<p>On SSH:<\/p>\n<blockquote><p>\n  If it finds an open SSH port, it begins a password brute-force attack, but only using default combinations like <code>admin:admin<\/code>, <code>root:root<\/code>, or <code>support:support<\/code>. No exploits, no other malicious actions.\n<\/p><\/blockquote>\n<p>He&#8217;s explicit about the lifecycle:<\/p>\n<blockquote><p>\n  The bot is also fully autonomous \u2013 it doesn&#8217;t connect to a command-and-control server and runs entirely on its own. It only reports discovered IP and login:password pairs back to a loader. Additionally, the bot has a built-in timer: six months after it starts, it self-terminates. If your device has become part of this network of spreader bots, simply reboot it (in theory, at least). The bot doesn&#8217;t establish persistence on the system and usually runs from \/tmp.\n<\/p><\/blockquote>\n<p>Alex isn&#8217;t crafting a CVE writeup. He appears to be trying to leave Belarus. He frames the worm as a project, attempts transparency about its harm, and explicitly invites contact:<\/p>\n<blockquote><p>\n  I am not interested in funding or sponsorship in any form. Please view this as a highly specific performance piece \u2013 one without parallels, as far as I&#8217;ve been able to find.\n<\/p><\/blockquote>\n<p>He also notes he&#8217;ll be cut off from the internet starting May 19, 2026. Keep that date in mind.<\/p>\n<p>The SANS diary takes a skeptical stance on all of this, and rightly so:<\/p>\n<blockquote><p>\n  Sob stories and appeals to sympathy are also a known social-engineering lever, and a URI designed to make analysts pause and read a web page rather than immediately blocklist an IP is an effective way to buy a scanner some goodwill.\n<\/p><\/blockquote>\n<p>Callahan&#8217;s conclusion: &#8220;treat it as an untrusted, credential-guessing scanner.&#8221; Fair. But the PCAP tells a more interesting story than either the manifesto or the SANS diary alone.<\/p>\n<h3>The capture<\/h3>\n<p>Over roughly forty days \u2014 May 10 through June 19, 2026 \u2014 our tiny fleet received the kind of probe Alex describes. The capture file I extracted has 2,167 packets, 318 KB, all TCP\/IP, all HTTP, no TLS.<\/p>\n<p>A quick protocol hierarchy check via <code>tshark<\/code> (the Wireshark command-line packet analyzer):<\/p>\n<pre><code>$ tshark -r belarus-sessions.PCAP -q -z io,phs\n===================================================================\nProtocol Hierarchy Statistics\nFilter:\n\nframe                                    frames:2167 bytes:284118\n  eth                                    frames:2167 bytes:284118\n    ip                                   frames:2167 bytes:284118\n      tcp                                frames:2167 bytes:284118\n        http                             frames: 406 bytes:147498\n          data-text-lines                frames: 162 bytes: 84270\n===================================================================\n<\/code><\/pre>\n<p>I focused on the HTTP requests since they&#8217;re easier to find, though I did confirm there were SSH shenanigans going on in the same time frame. The HTTP  number around 205, using two distinct User-Agent strings; the remaining packets are TCP handshakes, ACKs, and response payloads.<\/p>\n<p>Forty days, small packet count. That&#8217;s consistent with the worm&#8217;s described behavior: one request per open port, then move on. Not a high-volume scanner.<\/p>\n<h3>Two user-agent variants, two distinct campaigns<\/h3>\n<p>The HTTP requests split into two distinct populations based on <code>User-Agent<\/code>. The original variant \u2013 159 requests:<\/p>\n<pre><code>Wget\/1.21.4 (HelpMeEscapeFromBelarus@proton.me)\n<\/code><\/pre>\n<p>The extended variant \u2013 46 requests:<\/p>\n<pre><code>Wget\/1.21.4 ( https:\/\/hmefb.fwh.is | HelpMeEscapeFromBelarus@proton.me)\n<\/code><\/pre>\n<p>The two variants targeted different sets of ports and came from different kinds of infrastructure. That&#8217;s where it gets interesting.<\/p>\n<h3>Different ports, different responses<\/h3>\n<p>The 159 requests with the original User-Agent targeted ports 80, 81, 8000, and 8080 \u2013 exactly the ports Alex names in his description. The 46 requests with the extended User-Agent targeted a different set entirely: 82, 8002, 8088, 8090, 9000, and 9090.<\/p>\n<p>The extended User-Agent variant and non-standard port probing overlapped exactly. Both came exclusively from TOR exit nodes. Both stopped May 17, 2026.<\/p>\n<h3>The TOR exit node revelation<\/h3>\n<p>Of the 44 unique source IPs in the PCAP, 31 are listed on the TOR exit node list. TOR \u2013 The Onion Router \u2013 anonymizes traffic by bouncing it through multiple volunteer-operated relays before it exits to the public internet; the destination sees the exit node&#8217;s IP rather than the original requester&#8217;s. Seventy percent of the source IPs in this capture are exit nodes.<\/p>\n<p>Cross-referenced against geolocation and ASN data, the TOR exit ranges break down as:<\/p>\n<table>\n<thead>\n<tr>\n<th>TOR exit operator<\/th>\n<th align=\"right\">ASN<\/th>\n<th align=\"right\">Country<\/th>\n<th align=\"right\">Source IPs in PCAP<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Church of Cyberology<\/td>\n<td align=\"right\">AS215125<\/td>\n<td align=\"right\">NL<\/td>\n<td align=\"right\">19<\/td>\n<\/tr>\n<tr>\n<td>Stiftung Erneuerbare Freiheit<\/td>\n<td align=\"right\">AS60729<\/td>\n<td align=\"right\">DE<\/td>\n<td align=\"right\">6<\/td>\n<\/tr>\n<tr>\n<td>QuxLabs AB (R0cket Cloud)<\/td>\n<td align=\"right\">AS214503<\/td>\n<td align=\"right\">SW<\/td>\n<td align=\"right\">4<\/td>\n<\/tr>\n<tr>\n<td>The Infrastructure Group B.V.<\/td>\n<td align=\"right\">AS60404<\/td>\n<td align=\"right\">NL<\/td>\n<td align=\"right\">1<\/td>\n<\/tr>\n<tr>\n<td>AON<\/td>\n<td align=\"right\">AS214094<\/td>\n<td align=\"right\">IT<\/td>\n<td align=\"right\">1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>All 31 TOR exit IPs used the extended <code>hmefb.fwh.is<\/code> User-Agent variant. None of the non-TOR sources did. That&#8217;s a deliberate OPSEC choice. Whoever ran those TOR-routed probes wanted them identifiable as a separate campaign \u2013 wanted the URL traced back to HMEFB.<\/p>\n<h2>The compromised hosts<\/h2>\n<p>The remaining 13 source IPs do not appear to be TOR exit nodes. They&#8217;re a mix residential ISPs and VPS providers across several continents:<\/p>\n<table>\n<thead>\n<tr>\n<th>ISP<\/th>\n<th align=\"right\">Country<\/th>\n<th align=\"right\">Packets<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>R L A World Net LTDA<\/td>\n<td align=\"right\">BR<\/td>\n<td align=\"right\">24<\/td>\n<\/tr>\n<tr>\n<td>INPL&#8217;s<\/td>\n<td align=\"right\">IN<\/td>\n<td align=\"right\">22<\/td>\n<\/tr>\n<tr>\n<td>BSNL Internet<\/td>\n<td align=\"right\">IN<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>Bredband2 Stockholms Stadsnaet AB<\/td>\n<td align=\"right\">SW<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>China Unicom CHINA169 Jiangsu Province<\/td>\n<td align=\"right\">CN<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>Chinanet<\/td>\n<td align=\"right\">CN<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>Cox Communications Inc.<\/td>\n<td align=\"right\">US<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>Interlink Comunicatii SRL<\/td>\n<td align=\"right\">MD<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>TELUS Communications Inc<\/td>\n<td align=\"right\">CA<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>TOT Public Company Limited<\/td>\n<td align=\"right\">TH<\/td>\n<td align=\"right\">12<\/td>\n<\/tr>\n<tr>\n<td>Charter Communications<\/td>\n<td align=\"right\">US<\/td>\n<td align=\"right\">10<\/td>\n<\/tr>\n<tr>\n<td>CNC Group CHINA169 Shan1xi Province<\/td>\n<td align=\"right\">CN<\/td>\n<td align=\"right\">6<\/td>\n<\/tr>\n<tr>\n<td>StarHub Cable Vision Ltd<\/td>\n<td align=\"right\">SG<\/td>\n<td align=\"right\">1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>(Counts are packets per ISP, reflecting scan volume from that operator&#8217;s range.)<\/p>\n<p>These are the worm&#8217;s actual victims \u2013 exactly the kinds of hosts a low-and-slow self-propagating scanner lands on: routers, IoT devices, VPS instances, home networks running default SSH credentials. The IPs come from cable and fiber residential ranges or small-business ISP blocks (not Hetzner, DigitalOcean, AWS, etc.). The worm is living on consumer gear.<\/p>\n<p>Alex confirms this reading:<\/p>\n<blockquote><p>\n  That line in your logs is the work of a bot. It&#8217;s harmless by design but operates like a worm.\n<\/p><\/blockquote>\n<h3>The timeline<\/h3>\n<p>The PCAP&#8217;s burst of TOR-routed probing lines up precisely with Alex&#8217;s note on the HMEFB page:<\/p>\n<blockquote><p>\n  Also, starting from the 19th, I will be cut off from the outside world and likely unable to follow how the situation unfolds or respond to messages.\n<\/p><\/blockquote>\n<p>The TOR-routed probes stopped May 17, 2026 \u2013 two days before the date he named. Whatever was happening through TOR, it stopped on schedule.<\/p>\n<p>The SANS ISC diary notes the bot was first reported to ISC in May 2026, with reports peaking shortly after the first sighting before a sharp drop \u2014 consistent with what the PCAP shows.<\/p>\n<h3>What the worm is, and what it isn&#8217;t<\/h3>\n<p>Callahan&#8217;s SANS diary concludes: &#8220;treat it as an untrusted, credential-guessing scanner.&#8221; That&#8217;s the right defensive posture. The HMEFB worm isn&#8217;t malware in the conventional sense \u2013 it&#8217;s a network scanner that propagates itself, runs from <code>\/tmp<\/code>, persists for six months at most, and only attempts default SSH credentials. It doesn&#8217;t exploit anything. The only data it reports back to a loader is IP plus credential pairs \u2013 not exfiltrated files, not session tokens.<\/p>\n<p>But &#8220;not malware in the conventional sense&#8221; doesn&#8217;t mean harmless. Self-propagating scanners consume bandwidth, hammer SSH daemons with failed login attempts, and embed themselves on devices that already have weak security postures. If you find it on a host you operate: kill the process, rotate any default SSH credentials, and audit whether port 22 actually needs to be publicly exposed. Rebooting (in theory) clears it \u2013 the manifesto says so, and the PCAP and SSH session behavior appears consistent with that claim. But, you never can tell with bees.<\/p>\n<p>What the PCAP adds to the picture is the two-campaign structure. The worm spreading on compromised consumer gear across a dozen countries is one thing. A separate, deliberate set of probes routed through TOR exit nodes, using an extended User-Agent that points back to a named URL, hitting non-standard ports on honeypots \u2014 that&#8217;s a different kind of operation. Someone running probes through TOR and signing them with a link to their manifesto wanted those probes found and read.<\/p>\n<p>The SANS diary understandably focuses on the defensive posture. The PCAP shows you can do both: block the scanner, clean the compromised hosts, and still recognize that someone out there is using a worm as a job application.<\/p>\n<p>The <code>hmefb.fwh.is<\/code> page closes with:<\/p>\n<blockquote><p>\n  Thank you for reading this rambling monologue. I hope I haven&#8217;t caused you any inconvenience.<\/p>\n<p>  <a href=\"mailto:HelpMeEscapeFromBelarus@proton.me\">&#91; Send A Message &#93;<\/a>\n<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>HMEFB: Anatomy of a Belarusian Worm I found this story because of a re-post on Mastodon by Fritz Adalis regarding a suspicious User-Agent by Jason Callahan of SANS&#8217;s ISC. He found something odd in his DShield honeypot logs: a URI path that read \/?_HELP_ME_ESCAPE_FROM_BELARUS_PLEASE_. In the User-Agent header, an email address: HelpMeEscapeFromBelarus@proton.me. The SANS diary [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"federated","footnotes":"","jetpack_post_was_ever_published":false},"categories":[681,709,3,798],"tags":[],"class_list":["post-49243","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-data-driven-security","category-information-security","category-pcap"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It - rud.is<\/title>\n<meta name=\"description\" content=\"PCAP forensics of the HMEFB worm: a self-propagating scanner with a Belarusian engineer&#039;s escape plea embedded in HTTP requests.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It - rud.is\" \/>\n<meta property=\"og:description\" content=\"PCAP forensics of the HMEFB worm: a self-propagating scanner with a Belarusian engineer&#039;s escape plea embedded in HTTP requests.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-09T13:34:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It\",\"datePublished\":\"2026-07-09T13:34:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/\"},\"wordCount\":1548,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/hmefb-arc-copy-scaled.png\",\"articleSection\":[\"Cybersecurity\",\"data driven security\",\"Information Security\",\"pcap\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/\",\"name\":\"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/hmefb-arc-copy-scaled.png\",\"datePublished\":\"2026-07-09T13:34:50+00:00\",\"description\":\"PCAP forensics of the HMEFB worm: a self-propagating scanner with a Belarusian engineer's escape plea embedded in HTTP requests.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/hmefb-arc-copy-scaled.png?fit=2560%2C743&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/hmefb-arc-copy-scaled.png?fit=2560%2C743&ssl=1\",\"width\":2560,\"height\":743},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2026\\\/07\\\/09\\\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It - rud.is","description":"PCAP forensics of the HMEFB worm: a self-propagating scanner with a Belarusian engineer's escape plea embedded in HTTP requests.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/","og_locale":"en_US","og_type":"article","og_title":"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It - rud.is","og_description":"PCAP forensics of the HMEFB worm: a self-propagating scanner with a Belarusian engineer's escape plea embedded in HTTP requests.","og_url":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/","og_site_name":"rud.is","article_published_time":"2026-07-09T13:34:50+00:00","og_image":[{"url":"https:\/\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png","type":"","width":"","height":""}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It","datePublished":"2026-07-09T13:34:50+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/"},"wordCount":1548,"commentCount":2,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"image":{"@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png","articleSection":["Cybersecurity","data driven security","Information Security","pcap"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/","url":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/","name":"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"primaryImageOfPage":{"@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#primaryimage"},"image":{"@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png","datePublished":"2026-07-09T13:34:50+00:00","description":"PCAP forensics of the HMEFB worm: a self-propagating scanner with a Belarusian engineer's escape plea embedded in HTTP requests.","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#primaryimage","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?fit=2560%2C743&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2026\/07\/hmefb-arc-copy-scaled.png?fit=2560%2C743&ssl=1","width":2560,"height":743},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2026\/07\/09\/your-logs-contain-a-plea-for-assistance-in-a-packet-bottle-and-you-likely-never-noticed-it\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Your Logs Contain a Plea for Assistance In a Packet Bottle and You Likely Never Noticed It"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-cOf","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":600,"url":"https:\/\/rud.is\/b\/2011\/06\/14\/what-can-we-learn-from-the-lulzsec-senate-gov-hack-dump\/","url_meta":{"origin":49243,"position":0},"title":"What Can We Learn From The @lulzsec senate.gov Hack Dump?","author":"hrbrmstr","date":"2011-06-14","format":false,"excerpt":"What can the @lulzsec senate.gov dump tell us about how the admins maintained their system\/site? [code light=\"true\"]SunOS a-ess-wwwi 5.10 Generic_139555-08 sun4u sparc SUNW,SPARC-Enterprise[\/code] means they haven't kept up with OS patches. [-1 patch management] [code light=\"true\"]celerra:\/wwwdata 985G 609G 376G 62% \/net\/celerra\/wwwdata[\/code] tells us they use EMC NAS kit for web\u2026","rel":"","context":"In &quot;Breach&quot;","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12056,"url":"https:\/\/rud.is\/b\/2019\/03\/04\/ip-user-agent-and-referrer-tracking-disabled-on-cinc-rud-is-and-git-rud-is\/","url_meta":{"origin":49243,"position":1},"title":"IP, User Agent, and Referrer Tracking Disabled on cinc.rud.is and git.rud.is","author":"hrbrmstr","date":"2019-03-04","format":false,"excerpt":"Not flagging this with an \"R\" tag since I don't want to spam R-bloggers but I mentioned here that I'd be disabling logging on https:\/\/cinc.rud.is and https:\/\/git.rud.is and I wanted to follow up on that with an addendum that I've opted to disable user\/system tracking in the access logs of\u2026","rel":"","context":"In &quot;Site News&quot;","block_context":{"text":"Site News","link":"https:\/\/rud.is\/b\/category\/site-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5929,"url":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/","url_meta":{"origin":49243,"position":2},"title":"Travis-CI Flaw Exposed Some &#8216;Secure&#8217; Environment Variable Contents","author":"hrbrmstr","date":"2017-05-08","format":false,"excerpt":"Tagging this as #rstats-related since many R coders use Travis-CI to automate package builds (and other things). Security researcher Ivan Vyshnevskyi did some ++gd responsible disclosure to the Travis-CI folks letting them know they were leaking the contents of \"secure\" environment variables in the build logs. The TL;DR on \"secure\"\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":129,"url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-name-server-log-data\/","url_meta":{"origin":49243,"position":3},"title":"Metricon: Name Server Log Data","author":"hrbrmstr","date":"2011-02-14","format":false,"excerpt":"Speakers: Fruhwirth, Proschinger, Lendl, Savola \"On the use of name server log data as input for security measurements\" \u00a0 CERT.at ERT coordinate sec efforts & inc resp for IT sec prblms on a national level in Austria constituted of IT company security teams and local CERTs \u00a0 Why name server\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12977,"url":"https:\/\/rud.is\/b\/2021\/03\/01\/brimming-with-possibilities-query-zqd-mine-logs-with-zq-from-r\/","url_meta":{"origin":49243,"position":4},"title":"Brimming With Possibilities: Query zqd &#038; Mine Logs with zq from R","author":"hrbrmstr","date":"2021-03-01","format":false,"excerpt":"Brim Security maintains a free, Electron-based desktop GUI for exploration of PCAPs and select cybersecurity logs: along with a broad ecosystem of tools which can be used independently of the GUI. The standalone or embedded zqd server, as well as the zq command line utility let analysts run ZQL (a\u2026","rel":"","context":"In &quot;Cybersecurity&quot;","block_context":{"text":"Cybersecurity","link":"https:\/\/rud.is\/b\/category\/cybersecurity\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":11403,"url":"https:\/\/rud.is\/b\/2018\/08\/17\/in-brief-using-bro-connection-logs-with-apache-drill\/","url_meta":{"origin":49243,"position":5},"title":"In-brief: Using Bro connection logs with Apache Drill","author":"hrbrmstr","date":"2018-08-17","format":false,"excerpt":"If you've got a directory full of Bro NSM logs, it's easy to work with them in Apache Drill since they're just tab-separated values (TSV) files by default. The most tedious part is mapping the columns to proper types and hopefully this saves at least one person from typing it\u2026","rel":"","context":"In &quot;Apache Drill&quot;","block_context":{"text":"Apache Drill","link":"https:\/\/rud.is\/b\/category\/apache-drill\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/49243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=49243"}],"version-history":[{"count":11,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/49243\/revisions"}],"predecessor-version":[{"id":49255,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/49243\/revisions\/49255"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=49243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=49243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=49243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}