⚠️ Overview

likse is a malicious web vulnerability scanner and botnet agent first reported by Sucuri in March 2023 after targeting Magento e‑commerce installations. Its authorship remains unconfirmed, but command‑and‑control infrastructure analysis ties it to the TA555 cybercrime group, which specializes in credential stuffing and data exfiltration. The tool is not hosted on public repositories; code fragments have been recovered from anonymous paste sites and private Telegram channels.

🔧 Technical Capabilities

likse performs automated scanning for SQL injection, cross‑site scripting, path traversal, and server‑side request forgery. It uses a custom HTTP library built on aiohttp to send asynchronous requests, allowing it to evade simple rate‑limiting defenses. The bot can brute‑force login forms with a dictionary of 5,000+ common credentials and execute blind SQL injection via time‑based payloads. It also probes for misconfigured AWS S3 buckets, exposed .env files, and Laravel debug endpoints. Traffic is routed through a proxy pool sourced from compromised IoT devices, and each scan cycle randomly selects a new IP from the pool.

📜 History & Notable Incidents

The first confirmed likse campaign in March 2023 hit over 2,000 Magento stores in Europe and North America, attempting to steal customer payment data through SQL injection on checkout pages. In July 2023, security researchers at Sucuri linked a series of WordPress defacements to the same bot after discovering shared C2 IP addresses and identical user‑agent strings. likse routinely exploits known vulnerabilities, including CVE‑2023‑29489 (XSS in cPanel) and CVE‑2022‑29464 (arbitrary file upload in WSO2 API Manager), to gain initial access.

🔍 Detection Indicators

The primary user‑agent is LikseBot/1.0 (compatible; LikseScanner; +http://liksebot.com/scan.php), though variants with modified version numbers exist. The bot also sends the HTTP header X‑Likse‑Scan: true on every request. Typical file paths probed include /wp‑content/plugins/akismet/admin.php?login=test and /index.php?route=common/home. Traffic patterns show bursts of 10‑30 requests to identical endpoints across multiple hosts within less than two seconds, often originating from IP addresses associated with residential proxy networks.

☠️ Risk & Impact

Successful exploitation can lead to full site compromise, including backdoor installation, data theft of customer PII and payment credentials, and automated defacement that damages brand reputation. The bot’s cloud misconfiguration scanning may expose internal database credentials or API keys stored in exposed .env files, leading to lateral movement within victim environments.

🛡️ Mitigation

likse is blocked immediately upon detection because its scanning activity is exclusively malicious and has no legitimate use case. Web application firewalls should reject any request containing the user‑agent LikseBot or the header X‑Likse‑Scan, and rate limiting should be tightened to throttle rapid burst patterns from unknown IPs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.